SlideShare ist ein Scribd-Unternehmen logo

Risk mgmt key to security certifications v2

Jorge Sebastiao
Jorge Sebastiao

Presentation about risk management and security compliance, governance and certification

BusinessTechnologieWirtschaft & Finanzen
1 von 46
Risk Management Key to Security Certifications Risk Management Summit jorge.sebastiao@its.ws
Standards ISO 27000 – principles and vocabulary ISO 27001 – ISMS requirements (BS7799 – Part 2) ISO 27002 – (ISO/ IEC 17799:2005) ISO 27003 – ISMS Implementation guidelines ISO 27004 – ISMS Metrics and measurement ISO 27005 – ISMS Risk Management ISO 27031 - ICT readiness for business continuity BS25999 – Business Continuity Management
Certification Objective
British Standard BS25999 The BCM Lifecycle: BS 25999-1 2006 BCM Programme Management Understanding the organization Determining BCM strategy Developing & implementing BCM response Exercising, maintaining & reviewing
High level BC & Security policy management technical risk assets threats vulnerability influence Possibility of occurence Non-technical Risk management Implement of plan Policy Driven Process
ISO 27004 : Metrics & Measurement ISO/IEC has a new project to develop an ISMS Metrics and Measurements Standard This development is aimed at addressing how to measure the effectiveness of ISMS implementations (processes and controls) Performance targets What to measure How to measure When to measure
ISO 27005: ISMS Risk Management A new standard on ‘Information Security Risk Management’ This standard is being drawn up by the DTI/Cabinet Office – with significant input from CSIA (central Sponsor for Information Assurance) Will be linked to MITS-2 - a new management standard for ICT risk management Leverages ISO13335-4
Organizational Operational 1. Security policy 2. Organizating security 3. Asset Management 7. Access control 4. HR security 5. Physical and environmental security 8. Systems development and maintenance 6. Communicati ons and operations management 9. Business continuity management 10. Compliance 11. Incidence Managment 11 Key contexts ISO27001
Asset Identification and Valuation Identification of Vulnerabilities Identification of Threats Evaluation of Impacts Business Risks Review of existing security controls Risk Assessment Rating/ranking of Risks Risk Management Identification of new security controls Policy and Procedures Implementation and Risk Reduction Risk Acceptance (Residual risk) Gap analysis Degree of Assurance Risk Assessment & Mgmt Process
Quantitative Risk Analysis 2 fundamental elements probability of event likely loss Annual Loss Expectancy, ALE’ or ‘Estimated Annual Cost, EAC’ ALE or EAC calculated by multiplying the potential loss by the probability Rank events in order of risk & make priorities Problem with risk analysis: associated with the unreliability & inaccuracy of the data Probability not precise Controls and countermeasures often tackle interrelated events
Qualitative Risk Analysis Most widely used approach to risk analysis Probability data NOT required Make use of the following interrelated elements: Threats: things that can go wrong or can ‘attack’ the system. E.g. fire or fraud Vulnerabilities: make a system more prone to attack E.g. a vulnerability for fire would be the presence of inflammable materials (e.g. paper) Impact: loss as a result of threats. E.g. loss of reputation and interruption of business activity.
Process Asset Register Project evaluation Process Mapping Evaluating System Risk Assessment Applying Controls Writing Statement Initial Assessment Pre- Assessment Awareness Client timeline Implementation Process Gap Analyses
Threats Environmental Natural Disasters Unexpected (“OOPS” factor) Cyber terrorism Viruses Threats Industrial Espionage
Business Risks Employee & customer privacy Legislative violations Financial loss Intellectual capital Litigation Public Image/Trust Business Risks
Threats and Risk
16 Complexity: Increased Risk “The Future of digital systems is complexity, and complexity is the worst enemy of security.” Bruce Schneier Crypto-Gram Newsletter, March 2000
17 More complexity more Security Flaws Complexity & Reliability Risk 1 – 10 Simple procedure, little risk 11- 20 More Complex, moderate risk 21 – 50 Complex , high risk >50 Untestable, VERY HIGH RISK Complexity & Bad Fix Probability Essential Complexity (Un-structuredness) & Maintainability (future Reliability) Risk 1 – 4 Structured, little risk > 4 Unstructured, High Risk Structural Analysis … Providing Actionable Metrics Complexity and Risk
Examples - 1
Examples - 2
Can you afford it? eBay 12 June 1999 outage: 22 hrs. Operating System failure Cost: $3 million to $5 million revenue hit 26% decline in stock price AT&T 13 April 1998 outage: 6 to 26 hrs. Software Upgrade Cost: $40 million in rebates Forced to file SLAs with the FCC (frame relay) MCI August 1999 frame relay outage: 10 days Software Upgrade Cost: Up to 20 days free service to 3,000 enterprises Hershey Foods September 1999 system failures Application Rollout Cost: delayed shipments; 12% decrease in 3Q99 sales; 19% drop in net income from 3Q98 Dev. Bank of Singapore 1 July 1999 to August 1999: Processing Errors Incorrect debiting of POS due to a system overload Cost: Embarrassment/loss of integrity; interest charges Charles Schwab & Co. 24 February 1999 through 21 April 1999: 4 outages of at least 4 hrs. Upgrades/Operator Errors Cost: ???; Announced that it had made a $70 million new infrastructure investment. Causes of Unplanned Application Downtime Operator Errors 40% Application Failures 40% Technology Failures 20%
Sources of Disaster Survey of Disasters
Impact of Disaster 22 Productivity: Number of employees x impacted x hours out x burdened hours = ? productivity/ employees $millions minutes daystime $impact$billions Revenue: Direct loss, compensatory payment, lost future revenues, billing losses and investment losses direct financial/ customer Damaged reputation: Customers, competitors gain advantage, suppliers, financial markets, business partners damaged reputation Governance & performance: Revenue recognition, cash flow, credit rating, stock price, regulatory fines Governance Performance constant increase Indirect impact of downtime can be far more severe and unpredictable exponential increase
Importance of Critical Infrastructures
Business Continuity Management Business Impact Analysis Risk Analysis Recovery Strategy Group Plans and Procedures Business Continuity Planning Initiation Risk Reduction Implement Standby Facilities Create Planning Organization Testing PROCESS Change Management Education Testing Review Policy ScopeResourcesOrganization BCM Ongoing Process BCM Project
Business Continuity timeline Active Business A successful recovery
Processes - Business Continuity Mgmt Business Continuity Assessments / Audits Risk Analysis Business Impact Analysis Continuity Strategies Business Continuity Testing Awareness and Training
Processes - Workflow
Risk and PDCA Model Plan Act Check Do Test BCP BCP Residual Risks Implement Training Plan Risk Assessment
Risk Analysis provides focus High Medium Low Low Medium High Area of Major Concern
Risk = Application Prioritization Application Priority Rating Recovery RequirementsRecovery Time Objective AAA 0–6 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered AA 6–12 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered. A 12–24 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered. B 24-48 Hours Fail over Local, Disaster Recovery C 48–96 Hours Scheduled/Delayed Recovery D Recovery in 1 Week Scheduled/Delayed Recovery E Recovery when Resources Permit Scheduled/Delayed Recovery
Metrics and Risk
Risk Management Elimination Reduction/Controls Transfer/Outsource Insurance Residual Not all risk can be eliminated via controls
DR Strategies Options Immediate, High-Impact Strategies Weekly Backup and Off-site Storage Daily Backup and Off-site Storage Weekly Mirroring & Electronic Vaulting Daily Mirroring & Electronic Vaulting Real-time Mirroring & Electronic Vaulting Vendor Agreements Quick Ship Agreements Owned Cold Site Owned Hot Site External Cold Site External Hot Site Decision Tree contains 5 x 2 x 4 = 40 strategic options
Strategy Optimization Recovery strategy must be optimized to business requirements Time CostofStrategy Mitigation LostRevenue Optimum Mitigation Strategy
Response and Risk approach Risk Management and Business Controls Events Incidents Crises Impact Monitor & resolve the “critical few” with crisis management team Assess impact of events & implement appropriate controls Monitor & resolve at appropriate level using processesIncident Management Process Crisis Management Process
New Technologies, New Risks Laptops Mobiles Bluetooth PDA Smart Card
Social Engineering Risk … 70 percent of those asked said they would reveal their computer passwords for a … Schrage, Michael. 2005. Retrieved from http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1 Bar of chocolate
Framework must address Risk Threats Vulnerabilities Controls Risks Assets Security Requirements Business Impact exploit exposeincreaseincrease increase have protect against met by indicate reduce
39 0 5 10 15 20 25 30 Number of Responses (n=35) Unauthorized manipulation of components, switches, breakers, etc. from the SCADA system Denial of service to SCADA system Disaster Recovery Software / patch management Operating system vulnerabilities Vandalism or sabotage (electronic) Computer viruses, worms, Trojan horses, zero day attacks Remote access/VPN SCADA Security Survey – May 2005 Example: Top SCADA Risks
Integration of Logical and Physical Business Security Management Physical Security Management ICT Security Management
Leveraging Standards ICT & Business Continuity Risk Key Performance Indicators CoBiT, Metrics ITIL ISO20000 ( & BS15000) ISO27001 ISO27031 BS25999
Risk Provides Focus High Medium Low High A B C Medium B B C Low C C D Business Impact Vulnerability
Part of Defense in depth
Risk Trade Offs Secure Low Risk Fast/EasyCheap In Risk Management there are trade-offs
Risk Management ISO27001 SOA Risk Assessment Risk Mitigation Controls ISO27031 BS25999 Risk Analysis Risk Management/Security Certifications
Questions

Empfohlen

Rm 11-1
Rm 11-1Rm 11-1
Rm 11-1tomkacy
 
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security InstituteTips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security InstituteHernan Huwyler, MBA CPA
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planningalanlund
 
Getting Started with Business Continuity
Getting Started with Business ContinuityGetting Started with Business Continuity
Getting Started with Business ContinuityStephen Cobb
 
Operational Risk Management and Bpm
Operational Risk Management and BpmOperational Risk Management and Bpm
Operational Risk Management and BpmNathaniel Palmer
 
Understanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems AuditingUnderstanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems AuditingPECB
 
Business Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewBusiness Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewAhmed Riad .
 
The business case for process safety final ppt
The business case for process safety final pptThe business case for process safety final ppt
The business case for process safety final pptorosghe
 

Empfohlen

Rm 11-1
Rm 11-1Rm 11-1
Rm 11-1tomkacy
 
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security InstituteTips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security InstituteHernan Huwyler, MBA CPA
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planningalanlund
 
Getting Started with Business Continuity
Getting Started with Business ContinuityGetting Started with Business Continuity
Getting Started with Business ContinuityStephen Cobb
 
Operational Risk Management and Bpm
Operational Risk Management and BpmOperational Risk Management and Bpm
Operational Risk Management and BpmNathaniel Palmer
 
Understanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems AuditingUnderstanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems AuditingPECB
 
Business Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewBusiness Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewAhmed Riad .
 
The business case for process safety final ppt
The business case for process safety final pptThe business case for process safety final ppt
The business case for process safety final pptorosghe
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management systemsubbusai82
 
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...Willem A. Hoekstra Business Continuity Management in Banking Industry World C...
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...BCM Institute
 
Rolling out Business Continuity Planning (BCP) for Manufacturer Company
Rolling out Business Continuity Planning (BCP) for Manufacturer CompanyRolling out Business Continuity Planning (BCP) for Manufacturer Company
Rolling out Business Continuity Planning (BCP) for Manufacturer CompanyBank Alfalah Limited
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
Quantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal AuditQuantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal AuditHernan Huwyler, MBA CPA
 
Hernan Huwyler MetricStream German Law idw ps 340
Hernan Huwyler MetricStream German Law idw ps 340Hernan Huwyler MetricStream German Law idw ps 340
Hernan Huwyler MetricStream German Law idw ps 340Hernan Huwyler, MBA CPA
 
The 4 key types of regulations and how to comply (3)
The 4 key types of regulations and how to comply (3)The 4 key types of regulations and how to comply (3)
The 4 key types of regulations and how to comply (3)Nimonik
 
Risk Management Training
Risk Management TrainingRisk Management Training
Risk Management TrainingQuality Improvement Consulting
 
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’sBest-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’sMissionMode
 
Business Continuity Management In The Erm Framework February 2010
Business Continuity Management In The Erm Framework February 2010Business Continuity Management In The Erm Framework February 2010
Business Continuity Management In The Erm Framework February 2010Eneni Oduwole
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
Comprehensive Compliance for Environmental, Safety, Quality Requirements in C...
Comprehensive Compliance for Environmental, Safety, Quality Requirements in C...Comprehensive Compliance for Environmental, Safety, Quality Requirements in C...
Comprehensive Compliance for Environmental, Safety, Quality Requirements in C...Nimonik
 
A project approach to HIPAA
A project approach to HIPAAA project approach to HIPAA
A project approach to HIPAADaniel P Wallace
 
Business continuity management (case study)
Business continuity management (case study)Business continuity management (case study)
Business continuity management (case study)Wissam Abdel Baki
 
Hernan huwyler Quantitative Compliance Risk Assessment
Hernan huwyler Quantitative Compliance Risk AssessmentHernan huwyler Quantitative Compliance Risk Assessment
Hernan huwyler Quantitative Compliance Risk AssessmentHernan Huwyler, MBA CPA
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
Bankauditin it env
Bankauditin it envBankauditin it env
Bankauditin it envDr Vijay Pithadia Director
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
Risk and Business Continuity Management
Risk and Business Continuity Management Risk and Business Continuity Management
Risk and Business Continuity Management Continuity and Resilience
 
Introduction to Business Continuity Management
Introduction to Business Continuity ManagementIntroduction to Business Continuity Management
Introduction to Business Continuity ManagementProf. David E. Alexander (UCL)
 
Evento 15 aprile
Evento 15 aprileEvento 15 aprile
Evento 15 aprileLan & Wan Solutions
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 

Weitere ähnliche Inhalte

Was ist angesagt?

Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management systemsubbusai82
 
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...Willem A. Hoekstra Business Continuity Management in Banking Industry World C...
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...BCM Institute
 
Rolling out Business Continuity Planning (BCP) for Manufacturer Company
Rolling out Business Continuity Planning (BCP) for Manufacturer CompanyRolling out Business Continuity Planning (BCP) for Manufacturer Company
Rolling out Business Continuity Planning (BCP) for Manufacturer CompanyBank Alfalah Limited
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
Quantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal AuditQuantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal AuditHernan Huwyler, MBA CPA
 
Hernan Huwyler MetricStream German Law idw ps 340
Hernan Huwyler MetricStream German Law idw ps 340Hernan Huwyler MetricStream German Law idw ps 340
Hernan Huwyler MetricStream German Law idw ps 340Hernan Huwyler, MBA CPA
 
The 4 key types of regulations and how to comply (3)
The 4 key types of regulations and how to comply (3)The 4 key types of regulations and how to comply (3)
The 4 key types of regulations and how to comply (3)Nimonik
 
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’sBest-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’sMissionMode
 
Business Continuity Management In The Erm Framework February 2010
Business Continuity Management In The Erm Framework February 2010Business Continuity Management In The Erm Framework February 2010
Business Continuity Management In The Erm Framework February 2010Eneni Oduwole
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
Comprehensive Compliance for Environmental, Safety, Quality Requirements in C...
Comprehensive Compliance for Environmental, Safety, Quality Requirements in C...Comprehensive Compliance for Environmental, Safety, Quality Requirements in C...
Comprehensive Compliance for Environmental, Safety, Quality Requirements in C...Nimonik
 
A project approach to HIPAA
A project approach to HIPAAA project approach to HIPAA
A project approach to HIPAADaniel P Wallace
 
Business continuity management (case study)
Business continuity management (case study)Business continuity management (case study)
Business continuity management (case study)Wissam Abdel Baki
 
Hernan huwyler Quantitative Compliance Risk Assessment
Hernan huwyler Quantitative Compliance Risk AssessmentHernan huwyler Quantitative Compliance Risk Assessment
Hernan huwyler Quantitative Compliance Risk AssessmentHernan Huwyler, MBA CPA
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 

Was ist angesagt? (20)

Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management system
 
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...Willem A. Hoekstra Business Continuity Management in Banking Industry World C...
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...
 
Rolling out Business Continuity Planning (BCP) for Manufacturer Company
Rolling out Business Continuity Planning (BCP) for Manufacturer CompanyRolling out Business Continuity Planning (BCP) for Manufacturer Company
Rolling out Business Continuity Planning (BCP) for Manufacturer Company
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
 
Quantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal AuditQuantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal Audit
 
Hernan Huwyler MetricStream German Law idw ps 340
Hernan Huwyler MetricStream German Law idw ps 340Hernan Huwyler MetricStream German Law idw ps 340
Hernan Huwyler MetricStream German Law idw ps 340
 
The 4 key types of regulations and how to comply (3)
The 4 key types of regulations and how to comply (3)The 4 key types of regulations and how to comply (3)
The 4 key types of regulations and how to comply (3)
 
Risk Management Training
Risk Management TrainingRisk Management Training
Risk Management Training
 
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’sBest-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
 
Business Continuity Management In The Erm Framework February 2010
Business Continuity Management In The Erm Framework February 2010Business Continuity Management In The Erm Framework February 2010
Business Continuity Management In The Erm Framework February 2010
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
Comprehensive Compliance for Environmental, Safety, Quality Requirements in C...
Comprehensive Compliance for Environmental, Safety, Quality Requirements in C...Comprehensive Compliance for Environmental, Safety, Quality Requirements in C...
Comprehensive Compliance for Environmental, Safety, Quality Requirements in C...
 
A project approach to HIPAA
A project approach to HIPAAA project approach to HIPAA
A project approach to HIPAA
 
Business continuity management (case study)
Business continuity management (case study)Business continuity management (case study)
Business continuity management (case study)
 
Hernan huwyler Quantitative Compliance Risk Assessment
Hernan huwyler Quantitative Compliance Risk AssessmentHernan huwyler Quantitative Compliance Risk Assessment
Hernan huwyler Quantitative Compliance Risk Assessment
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information System
 
Bankauditin it env
Bankauditin it envBankauditin it env
Bankauditin it env
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
 
Risk and Business Continuity Management
Risk and Business Continuity Management Risk and Business Continuity Management
Risk and Business Continuity Management
 
Introduction to Business Continuity Management
Introduction to Business Continuity ManagementIntroduction to Business Continuity Management
Introduction to Business Continuity Management
 

Andere mochten auch

7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Riskamiable_indian
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Ethical and social issues in information systems
Ethical and social issues in information systemsEthical and social issues in information systems
Ethical and social issues in information systemsProf. Othman Alsalloum
 

Andere mochten auch (8)

Evento 15 aprile
Evento 15 aprileEvento 15 aprile
Evento 15 aprile
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Ethical and social issues in information systems
Ethical and social issues in information systemsEthical and social issues in information systems
Ethical and social issues in information systems
 

Ähnlich wie Risk mgmt key to security certifications v2

Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop FinalBill Lisse
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisionsAlireza Ghahrood
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security ChallengesJorge Sebastiao
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
TCG Svcs Pres 2011
TCG Svcs Pres 2011TCG Svcs Pres 2011
TCG Svcs Pres 2011mcourton
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Eneni Oduwole
 
Operational Risk : Take a look at the raw canvas
Operational Risk : Take a look at the raw canvasOperational Risk : Take a look at the raw canvas
Operational Risk : Take a look at the raw canvasTreat Risk
 
Process Measurement - BPM Roundtable QLD
Process Measurement - BPM Roundtable QLDProcess Measurement - BPM Roundtable QLD
Process Measurement - BPM Roundtable QLDLeonardo Consulting
 
High lntegrity Services
High lntegrity ServicesHigh lntegrity Services
High lntegrity Servicesianthm
 
Learn how to use Maximo HSE to Add a Layer of Control on Top of your Work Pro...
Learn how to use Maximo HSE to Add a Layer of Control on Top of your Work Pro...Learn how to use Maximo HSE to Add a Layer of Control on Top of your Work Pro...
Learn how to use Maximo HSE to Add a Layer of Control on Top of your Work Pro...FMMUG
 
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security InstituteTips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security InstituteHernan Huwyler, MBA CPA
 
Effektiv riskhantering - teori vs praktik - IBM Smarter Business 2011
Effektiv riskhantering - teori vs praktik - IBM Smarter Business 2011Effektiv riskhantering - teori vs praktik - IBM Smarter Business 2011
Effektiv riskhantering - teori vs praktik - IBM Smarter Business 2011IBM Sverige
 
Operational Improvements
Operational ImprovementsOperational Improvements
Operational Improvementskrkingsley
 
How to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approachHow to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approachPECB
 
IBM Smarter Process (Stockholm)
IBM Smarter Process (Stockholm)IBM Smarter Process (Stockholm)
IBM Smarter Process (Stockholm)IBM Sverige
 
6 itil v3 service operation v1.8
6 itil v3 service operation v1.86 itil v3 service operation v1.8
6 itil v3 service operation v1.8Karthik Arumugham
 

Ähnlich wie Risk mgmt key to security certifications v2 (20)

Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop Final
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisions
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security Challenges
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
TCG Svcs Pres 2011
TCG Svcs Pres 2011TCG Svcs Pres 2011
TCG Svcs Pres 2011
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
 
Operational Risk : Take a look at the raw canvas
Operational Risk : Take a look at the raw canvasOperational Risk : Take a look at the raw canvas
Operational Risk : Take a look at the raw canvas
 
Process Measurement - BPM Roundtable QLD
Process Measurement - BPM Roundtable QLDProcess Measurement - BPM Roundtable QLD
Process Measurement - BPM Roundtable QLD
 
High lntegrity Services
High lntegrity ServicesHigh lntegrity Services
High lntegrity Services
 
Learn how to use Maximo HSE to Add a Layer of Control on Top of your Work Pro...
Learn how to use Maximo HSE to Add a Layer of Control on Top of your Work Pro...Learn how to use Maximo HSE to Add a Layer of Control on Top of your Work Pro...
Learn how to use Maximo HSE to Add a Layer of Control on Top of your Work Pro...
 
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security InstituteTips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
 
Effektiv riskhantering - teori vs praktik - IBM Smarter Business 2011
Effektiv riskhantering - teori vs praktik - IBM Smarter Business 2011Effektiv riskhantering - teori vs praktik - IBM Smarter Business 2011
Effektiv riskhantering - teori vs praktik - IBM Smarter Business 2011
 
Operational Improvements
Operational ImprovementsOperational Improvements
Operational Improvements
 
How to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approachHow to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approach
 
IBM Smarter Process (Stockholm)
IBM Smarter Process (Stockholm)IBM Smarter Process (Stockholm)
IBM Smarter Process (Stockholm)
 
6 itil v3 service operation v1.8
6 itil v3 service operation v1.86 itil v3 service operation v1.8
6 itil v3 service operation v1.8
 

Mehr von Jorge Sebastiao

Real estate tokenization and blockchain
Real estate tokenization and blockchainReal estate tokenization and blockchain
Real estate tokenization and blockchainJorge Sebastiao
 
Blockchain and covid19 v3
Blockchain and covid19 v3Blockchain and covid19 v3
Blockchain and covid19 v3Jorge Sebastiao
 
Top tech shapping startups
Top tech shapping startupsTop tech shapping startups
Top tech shapping startupsJorge Sebastiao
 
Blockchain and security v3
Blockchain and security v3Blockchain and security v3
Blockchain and security v3Jorge Sebastiao
 
The road to blockchain 5.0
The road to blockchain 5.0The road to blockchain 5.0
The road to blockchain 5.0Jorge Sebastiao
 
Cyber Warfare 4TH edition
Cyber Warfare 4TH editionCyber Warfare 4TH edition
Cyber Warfare 4TH editionJorge Sebastiao
 
How AI is Disrupting Traffic Management in Smart City
How AI is Disrupting Traffic Management in Smart CityHow AI is Disrupting Traffic Management in Smart City
How AI is Disrupting Traffic Management in Smart CityJorge Sebastiao
 
Ai and traffic management application v1.0
Ai and traffic management application v1.0Ai and traffic management application v1.0
Ai and traffic management application v1.0Jorge Sebastiao
 
Practical analytics hands-on to cloud & IoT cyber threats
Practical analytics hands-on to cloud & IoT cyber threatsPractical analytics hands-on to cloud & IoT cyber threats
Practical analytics hands-on to cloud & IoT cyber threatsJorge Sebastiao
 
Dz hackevent 2019 Middle East Cyberwars V3
Dz hackevent 2019 Middle East Cyberwars V3Dz hackevent 2019 Middle East Cyberwars V3
Dz hackevent 2019 Middle East Cyberwars V3Jorge Sebastiao
 
AI HR and Future Jobs Version 2.1
AI HR and Future Jobs Version 2.1AI HR and Future Jobs Version 2.1
AI HR and Future Jobs Version 2.1Jorge Sebastiao
 
Cyber fear obstacles to info sharing-Version 2
Cyber fear obstacles to info sharing-Version 2Cyber fear obstacles to info sharing-Version 2
Cyber fear obstacles to info sharing-Version 2Jorge Sebastiao
 
Blockchain & cyber security Algeria Version 1.1
Blockchain & cyber security Algeria Version 1.1Blockchain & cyber security Algeria Version 1.1
Blockchain & cyber security Algeria Version 1.1Jorge Sebastiao
 
Datamatix GCC HR future jobs Version 1.3
Datamatix GCC HR future jobs Version 1.3Datamatix GCC HR future jobs Version 1.3
Datamatix GCC HR future jobs Version 1.3Jorge Sebastiao
 
Cyber security crypto blockchain Version 3.2
Cyber security crypto blockchain Version 3.2Cyber security crypto blockchain Version 3.2
Cyber security crypto blockchain Version 3.2Jorge Sebastiao
 
RTA AI for traffic management version 1.4
RTA AI for traffic management version 1.4RTA AI for traffic management version 1.4
RTA AI for traffic management version 1.4Jorge Sebastiao
 
IGF2017 Data is new oil - UN Internet Governance Forum
IGF2017 Data is new oil - UN Internet Governance ForumIGF2017 Data is new oil - UN Internet Governance Forum
IGF2017 Data is new oil - UN Internet Governance ForumJorge Sebastiao
 
ADIPEC physical and Infosec for Oil and Gas
ADIPEC physical and Infosec for Oil and GasADIPEC physical and Infosec for Oil and Gas
ADIPEC physical and Infosec for Oil and GasJorge Sebastiao
 
AVSEC are you flying cybersafe?
AVSEC are you flying cybersafe?AVSEC are you flying cybersafe?
AVSEC are you flying cybersafe?Jorge Sebastiao
 
Are we ready for IoT? VU Version 7
Are we ready for IoT? VU Version 7Are we ready for IoT? VU Version 7
Are we ready for IoT? VU Version 7Jorge Sebastiao
 

Mehr von Jorge Sebastiao (20)

Real estate tokenization and blockchain
Real estate tokenization and blockchainReal estate tokenization and blockchain
Real estate tokenization and blockchain
 
Blockchain and covid19 v3
Blockchain and covid19 v3Blockchain and covid19 v3
Blockchain and covid19 v3
 
Top tech shapping startups
Top tech shapping startupsTop tech shapping startups
Top tech shapping startups
 
Blockchain and security v3
Blockchain and security v3Blockchain and security v3
Blockchain and security v3
 
The road to blockchain 5.0
The road to blockchain 5.0The road to blockchain 5.0
The road to blockchain 5.0
 
Cyber Warfare 4TH edition
Cyber Warfare 4TH editionCyber Warfare 4TH edition
Cyber Warfare 4TH edition
 
How AI is Disrupting Traffic Management in Smart City
How AI is Disrupting Traffic Management in Smart CityHow AI is Disrupting Traffic Management in Smart City
How AI is Disrupting Traffic Management in Smart City
 
Ai and traffic management application v1.0
Ai and traffic management application v1.0Ai and traffic management application v1.0
Ai and traffic management application v1.0
 
Practical analytics hands-on to cloud & IoT cyber threats
Practical analytics hands-on to cloud & IoT cyber threatsPractical analytics hands-on to cloud & IoT cyber threats
Practical analytics hands-on to cloud & IoT cyber threats
 
Dz hackevent 2019 Middle East Cyberwars V3
Dz hackevent 2019 Middle East Cyberwars V3Dz hackevent 2019 Middle East Cyberwars V3
Dz hackevent 2019 Middle East Cyberwars V3
 
AI HR and Future Jobs Version 2.1
AI HR and Future Jobs Version 2.1AI HR and Future Jobs Version 2.1
AI HR and Future Jobs Version 2.1
 
Cyber fear obstacles to info sharing-Version 2
Cyber fear obstacles to info sharing-Version 2Cyber fear obstacles to info sharing-Version 2
Cyber fear obstacles to info sharing-Version 2
 
Blockchain & cyber security Algeria Version 1.1
Blockchain & cyber security Algeria Version 1.1Blockchain & cyber security Algeria Version 1.1
Blockchain & cyber security Algeria Version 1.1
 
Datamatix GCC HR future jobs Version 1.3
Datamatix GCC HR future jobs Version 1.3Datamatix GCC HR future jobs Version 1.3
Datamatix GCC HR future jobs Version 1.3
 
Cyber security crypto blockchain Version 3.2
Cyber security crypto blockchain Version 3.2Cyber security crypto blockchain Version 3.2
Cyber security crypto blockchain Version 3.2
 
RTA AI for traffic management version 1.4
RTA AI for traffic management version 1.4RTA AI for traffic management version 1.4
RTA AI for traffic management version 1.4
 
IGF2017 Data is new oil - UN Internet Governance Forum
IGF2017 Data is new oil - UN Internet Governance ForumIGF2017 Data is new oil - UN Internet Governance Forum
IGF2017 Data is new oil - UN Internet Governance Forum
 
ADIPEC physical and Infosec for Oil and Gas
ADIPEC physical and Infosec for Oil and GasADIPEC physical and Infosec for Oil and Gas
ADIPEC physical and Infosec for Oil and Gas
 
AVSEC are you flying cybersafe?
AVSEC are you flying cybersafe?AVSEC are you flying cybersafe?
AVSEC are you flying cybersafe?
 
Are we ready for IoT? VU Version 7
Are we ready for IoT? VU Version 7Are we ready for IoT? VU Version 7
Are we ready for IoT? VU Version 7
 

Kürzlich hochgeladen

The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwaitdaisycvs
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with CultureSeta Wicaksana
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noidadlhescort
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Centuryrwgiffor
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesDipal Arora
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...Aggregage
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsIndeedSEO
 
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...lizamodels9
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...amitlee9823
 
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876dlhescort
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...allensay1
 
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...Anamikakaur10
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756dollysharma2066
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLkapoorjyoti4444
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayNZSG
 
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceMalegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceDamini Dixit
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataExhibitors Data
 
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...amitlee9823
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 

Kürzlich hochgeladen (20)

The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceMalegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 

Risk mgmt key to security certifications v2

  • 1. Risk Management Key to Security Certifications Risk Management Summit jorge.sebastiao@its.ws
  • 2. Standards ISO 27000 – principles and vocabulary ISO 27001 – ISMS requirements (BS7799 – Part 2) ISO 27002 – (ISO/ IEC 17799:2005) ISO 27003 – ISMS Implementation guidelines ISO 27004 – ISMS Metrics and measurement ISO 27005 – ISMS Risk Management ISO 27031 - ICT readiness for business continuity BS25999 – Business Continuity Management
  • 4. British Standard BS25999 The BCM Lifecycle: BS 25999-1 2006 BCM Programme Management Understanding the organization Determining BCM strategy Developing & implementing BCM response Exercising, maintaining & reviewing
  • 5. High level BC & Security policy management technical risk assets threats vulnerability influence Possibility of occurence Non-technical Risk management Implement of plan Policy Driven Process
  • 6. ISO 27004 : Metrics & Measurement ISO/IEC has a new project to develop an ISMS Metrics and Measurements Standard This development is aimed at addressing how to measure the effectiveness of ISMS implementations (processes and controls) Performance targets What to measure How to measure When to measure
  • 7. ISO 27005: ISMS Risk Management A new standard on ‘Information Security Risk Management’ This standard is being drawn up by the DTI/Cabinet Office – with significant input from CSIA (central Sponsor for Information Assurance) Will be linked to MITS-2 - a new management standard for ICT risk management Leverages ISO13335-4
  • 8. Organizational Operational 1. Security policy 2. Organizating security 3. Asset Management 7. Access control 4. HR security 5. Physical and environmental security 8. Systems development and maintenance 6. Communicati ons and operations management 9. Business continuity management 10. Compliance 11. Incidence Managment 11 Key contexts ISO27001
  • 9. Asset Identification and Valuation Identification of Vulnerabilities Identification of Threats Evaluation of Impacts Business Risks Review of existing security controls Risk Assessment Rating/ranking of Risks Risk Management Identification of new security controls Policy and Procedures Implementation and Risk Reduction Risk Acceptance (Residual risk) Gap analysis Degree of Assurance Risk Assessment & Mgmt Process
  • 10. Quantitative Risk Analysis 2 fundamental elements probability of event likely loss Annual Loss Expectancy, ALE’ or ‘Estimated Annual Cost, EAC’ ALE or EAC calculated by multiplying the potential loss by the probability Rank events in order of risk & make priorities Problem with risk analysis: associated with the unreliability & inaccuracy of the data Probability not precise Controls and countermeasures often tackle interrelated events
  • 11. Qualitative Risk Analysis Most widely used approach to risk analysis Probability data NOT required Make use of the following interrelated elements: Threats: things that can go wrong or can ‘attack’ the system. E.g. fire or fraud Vulnerabilities: make a system more prone to attack E.g. a vulnerability for fire would be the presence of inflammable materials (e.g. paper) Impact: loss as a result of threats. E.g. loss of reputation and interruption of business activity.
  • 16. 16 Complexity: Increased Risk “The Future of digital systems is complexity, and complexity is the worst enemy of security.” Bruce Schneier Crypto-Gram Newsletter, March 2000
  • 17. 17 More complexity more Security Flaws Complexity & Reliability Risk 1 – 10 Simple procedure, little risk 11- 20 More Complex, moderate risk 21 – 50 Complex , high risk >50 Untestable, VERY HIGH RISK Complexity & Bad Fix Probability Essential Complexity (Un-structuredness) & Maintainability (future Reliability) Risk 1 – 4 Structured, little risk > 4 Unstructured, High Risk Structural Analysis … Providing Actionable Metrics Complexity and Risk
  • 20. Can you afford it? eBay 12 June 1999 outage: 22 hrs. Operating System failure Cost: $3 million to $5 million revenue hit 26% decline in stock price AT&T 13 April 1998 outage: 6 to 26 hrs. Software Upgrade Cost: $40 million in rebates Forced to file SLAs with the FCC (frame relay) MCI August 1999 frame relay outage: 10 days Software Upgrade Cost: Up to 20 days free service to 3,000 enterprises Hershey Foods September 1999 system failures Application Rollout Cost: delayed shipments; 12% decrease in 3Q99 sales; 19% drop in net income from 3Q98 Dev. Bank of Singapore 1 July 1999 to August 1999: Processing Errors Incorrect debiting of POS due to a system overload Cost: Embarrassment/loss of integrity; interest charges Charles Schwab & Co. 24 February 1999 through 21 April 1999: 4 outages of at least 4 hrs. Upgrades/Operator Errors Cost: ???; Announced that it had made a $70 million new infrastructure investment. Causes of Unplanned Application Downtime Operator Errors 40% Application Failures 40% Technology Failures 20%
  • 22. Impact of Disaster 22 Productivity: Number of employees x impacted x hours out x burdened hours = ? productivity/ employees $millions minutes daystime $impact$billions Revenue: Direct loss, compensatory payment, lost future revenues, billing losses and investment losses direct financial/ customer Damaged reputation: Customers, competitors gain advantage, suppliers, financial markets, business partners damaged reputation Governance & performance: Revenue recognition, cash flow, credit rating, stock price, regulatory fines Governance Performance constant increase Indirect impact of downtime can be far more severe and unpredictable exponential increase
  • 23. Importance of Critical Infrastructures
  • 24. Business Continuity Management Business Impact Analysis Risk Analysis Recovery Strategy Group Plans and Procedures Business Continuity Planning Initiation Risk Reduction Implement Standby Facilities Create Planning Organization Testing PROCESS Change Management Education Testing Review Policy ScopeResourcesOrganization BCM Ongoing Process BCM Project
  • 26. Processes - Business Continuity Mgmt Business Continuity Assessments / Audits Risk Analysis Business Impact Analysis Continuity Strategies Business Continuity Testing Awareness and Training
  • 28. Risk and PDCA Model Plan Act Check Do Test BCP BCP Residual Risks Implement Training Plan Risk Assessment
  • 29. Risk Analysis provides focus High Medium Low Low Medium High Area of Major Concern
  • 30. Risk = Application Prioritization Application Priority Rating Recovery RequirementsRecovery Time Objective AAA 0–6 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered AA 6–12 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered. A 12–24 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered. B 24-48 Hours Fail over Local, Disaster Recovery C 48–96 Hours Scheduled/Delayed Recovery D Recovery in 1 Week Scheduled/Delayed Recovery E Recovery when Resources Permit Scheduled/Delayed Recovery
  • 33. DR Strategies Options Immediate, High-Impact Strategies Weekly Backup and Off-site Storage Daily Backup and Off-site Storage Weekly Mirroring & Electronic Vaulting Daily Mirroring & Electronic Vaulting Real-time Mirroring & Electronic Vaulting Vendor Agreements Quick Ship Agreements Owned Cold Site Owned Hot Site External Cold Site External Hot Site Decision Tree contains 5 x 2 x 4 = 40 strategic options
  • 34. Strategy Optimization Recovery strategy must be optimized to business requirements Time CostofStrategy Mitigation LostRevenue Optimum Mitigation Strategy
  • 35. Response and Risk approach Risk Management and Business Controls Events Incidents Crises Impact Monitor & resolve the “critical few” with crisis management team Assess impact of events & implement appropriate controls Monitor & resolve at appropriate level using processesIncident Management Process Crisis Management Process
  • 36. New Technologies, New Risks Laptops Mobiles Bluetooth PDA Smart Card
  • 37. Social Engineering Risk … 70 percent of those asked said they would reveal their computer passwords for a … Schrage, Michael. 2005. Retrieved from http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1 Bar of chocolate
  • 38. Framework must address Risk Threats Vulnerabilities Controls Risks Assets Security Requirements Business Impact exploit exposeincreaseincrease increase have protect against met by indicate reduce
  • 39. 39 0 5 10 15 20 25 30 Number of Responses (n=35) Unauthorized manipulation of components, switches, breakers, etc. from the SCADA system Denial of service to SCADA system Disaster Recovery Software / patch management Operating system vulnerabilities Vandalism or sabotage (electronic) Computer viruses, worms, Trojan horses, zero day attacks Remote access/VPN SCADA Security Survey – May 2005 Example: Top SCADA Risks
  • 40. Integration of Logical and Physical Business Security Management Physical Security Management ICT Security Management
  • 41. Leveraging Standards ICT & Business Continuity Risk Key Performance Indicators CoBiT, Metrics ITIL ISO20000 ( & BS15000) ISO27001 ISO27031 BS25999
  • 42. Risk Provides Focus High Medium Low High A B C Medium B B C Low C C D Business Impact Vulnerability
  • 43. Part of Defense in depth
  • 44. Risk Trade Offs Secure Low Risk Fast/EasyCheap In Risk Management there are trade-offs