Enterprise Information Technology Risk Assessment Form
Die SlideShare-Präsentation wird heruntergeladen.
×
![Tool ISACA risk statements
[Event that has an effect on CIA
objectives on IT assets] caused by
[threat/s] resulting in
[co...](https://image.slidesharecdn.com/tipsforitriskmanagement3-210602044617/75/tips-for-it-risk-management-prof-hernan-huwyler-information-security-institute-18-2048.jpg?cb=1668183224)
Hier ansehen
Empfohlen
Weitere Verwandte Inhalte
Diashows für Sie (20)
Ähnlich wie Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute (20)
Weitere von Hernan Huwyler, MBA CPA (20)
Aktuellste (20)
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
- 1. 2021 Global Risk Management Day
- 2. Prof. Hernan Huwyler MBA CPA Tips for IT risk management What to do + what to avoid
- 3. Identification
- 4. Risk effect of uncertainty on objectives
- 5. Objectives for IT risks Confidentiality Integrity Availability on IT assets
- 6. Assets at risk IT assets Data Hardware and facilities Software Contracts, services and licenses Skills
- 7. Example for confidentiality Shall indemnify Customer against all losses in case of a data breach
- 8. Example for integrity Input data errors should be lower than 0.04 %
- 9. Example for availabilty Shall reduce fees by 4% in case of 95 to 98% service availability
- 10. What to do Facilitate risk assessments well before decisions are made by IT architects, engineers and managers
- 11. What to do Follow the in-transit and at-rest data for an end-to-end analysis fully covering the IT assets under scope
- 12. What to do Simple governance focused on the decision-maker IT asset owner = risk owner = contract owner = control owner = compliance owner
- 13. What to do Identify measurable requirements from feasibility analysis, contracts, blueprints, project plans, budgets, cyber programs, internal policies, and regulations
- 14. What to avoid Don´t use control assessments, compliance checklists and vulnerability tests for risk identification
- 15. What to avoid Compliance with an IT control is not an objective per se Vulnerable assets and non-compliances are not treated as potential risks but as known facts to remediate
- 16. What to avoid Don´t use generic scenarios only based on threat and vulnerability taxonomies and relying on static snapshots
- 17. What to avoid Don´t add multiple roles to the risk ownership such as process owners, delegates, control owners, and SMEs
- 18. Tool ISACA risk statements [Event that has an effect on CIA objectives on IT assets] caused by [threat/s] resulting in [consequence/s]
- 19. Tool ISACA risk statements Compromise of unencrypted HR data in transit to the AWS cloud caused by eavesdropping resulting in contractual and privacy fines
- 20. Risk statements for measuring There is a 5% chance this year that eavesdropping on HR data in transit to the AWS cloud results in fines between USD .3M to 1.85M
- 21. Quantification
- 22. Annualized Loss Expectancy Cause * Consequence > Continuous function Probability * Impact > Bow-tie Annual Rate of Occurrence * Single Loss Expectancy
- 23. Annualized Loss Expectancy Based on the added value of the IT asset at risk on objectives Range of potential values
- 24. Impact > Single Loss Expectancy • Potential range of monetized losses • Decision trees • Best, worse and base cases
- 25. Tool Single Loss Calculator
- 26. Tool Single Loss Calculator 2 Min Max Ln (Max) + Ln (Min) Standard Error Confidence Interval Confidence Interval Standard Error 80% 2.56 90% 3.29 95% 3.92 99% 5.15 Loss USD Nr Cases P(A), μ = , σ = Ln Single Loss USD = Ln (Max) - Ln (Min) z*-value*2
- 27. Tool Single Loss Calculator 2 Ln (Max) + Ln (Min) Standard Error P(A), μ = , σ = Ln Single Loss USD = Ln (Max) - Ln (Min) Expected loss USD = Single Loss USD 2 2 * Probability e
- 28. Tool Single Loss Calculator
- 29. Tool Single Loss Calculator
- 30. Ranges of potential outcomes Confidentiality > Min and max number of disclosed records or affected clients Integrity > Min and max number of inaccurate records Availability > Min and max outage hours and affected users
- 31. There is not “security” in information security Therefore, you need to use probabilities for a rational decision- making when data is limited
- 32. If an objective in a risk assessment matters, you can observe a range of possible outcomes Therefore, you can measure the possible outcomes for decision-making
- 33. Primary impact • Downtime costs • Notification and response costs • Damage on IT assets • Contractual penalties • Fraud losses
- 34. Secondary impact • Profitablity losses of potential and current clients • Regulatory fines • IP and competitive losses • Cost of changing the CISO
- 35. Tool > Decision tree Materialized Risk 1 Impact 1 Impact A Secondary impacts Primary impacts Impact B Impact 2 Impact C Impact D Event 1 P (A) Event 2 P (∼A)
- 36. Tool > Decision tree Crown jewel asset “Stepping stone” assets Event 1 P (A) Event 2 P (A) Event x P (A)
- 37. What to do Disaggregate impacts by tangible cost items to use probabilistic methods for risk scenarios
- 38. What to do Cost items can be expressed in monetary terms but also in number of hours, datasets, clients, users, contracts, and work days
- 39. Example Downtime costs = Downtime hrs x Cost-per-hr 3.25 5 90% confidence Interval Hours Nr Cases 34k USD 95% confidence Interval Cost per hr Nr Cases 54k USD x 10% of the expected cases are not between 3.25 and 5 hs
- 40. Example https://doi.org/10.1155/2019/6716918 Impact ranges expressed in M$
- 41. Downtime costs • Revenue losses during/after downtime Business value of IT asset at risk / Downtime hrs x % Uptime • Discounts and compensations • Employee productivity costs Avg hr salary / Downtime and refocus hrs x Number of affected employees and contractor) • Inventory and logistic overcosts
- 42. Notification and response costs • Crisis management • Help desk and IT staff overtime • Forensic investigations and audits • Notifications to boards, regulators, investors and affected parties
- 43. Damage on IT assets costs • Urgent replacements and repairs • Setting and instalation • Back up • Lost data recovery
- 44. Contractual penalties • Penalties and damages • Force majeure and default • Disputes • Cost of changing IT vendors
- 45. Present value of countermeasures • Outsourcing costs • Cyber insurance • Costs of implementing IT controls • Costs of executing IT controls
- 46. Present value of countermeasures • Price increases for liability clauses with IT service providers • Reserve for IT risks • Threat avoidance • IT asset substitution
- 47. Return on Investment Primary impact Secondary impact Annualized Loss Expectancy Present value of countermeasures
- 48. Tool > Loss exceedance curve Loss 0.001 0.01 0.1 1 10 100 0% 25% 50% 75% 100% Loss Chance 5% 95%
- 49. What to do Improve the planning tools used by decision-makers with better assessment of assumptions (e.g. IT investments, due diligence)
- 50. What to do Learn about statistical methods if you want to facilitate the assessment of IT risks
- 51. What to do Measure the impact of risk incidents and compare plans against actual outcomes to improve your risk data and use regression‐based methods
- 52. Poll What metrics are you using to measure the cyber security performance?
- 53. What to avoid Don´t use qualitative criteria and scoring systems with scientifically proven flaws preventing corporate defense and conducting to malpractice
- 54. What to avoid, once again Using high, medium, low or 1 to 5 criteria and other subjective scales is malpractice in legal terms
- 55. What to avoid Data cocktails of generic scores and matrices for controls, threats and assets unrelated to the specific objectives under scope
- 56. What to avoid Risk = threat x vulnerability x IT asset value
- 57. What to avoid Risk = ( threat x vulnerabilities x probability x impact ) /countermeasures
- 58. What to avoid Risk = ( threat x exploit likelihood x exploit impact x asset value ) - security controls
- 59. What to avoid Risk = [ (10 * TechnicalImpact + 5*(AcquiredPrivilege + AcquiredPrivilegeLayer) + 5*FindingConfidence) * f(TechnicalImpact) * InternalControlEffectiveness ] * 4.0 f(TechnicalImpact) = 0 if TechnicalImpact = 0; otherwise f(TechnicalImpact) = 1
- 60. Data sources
- 61. External data to be tailored Adjust significant variances between industries, geographies, organization sizes, and business models for your organization
- 62. External data to be tailored Check that historical data is relevant and accurate for the type of cyber security planning
- 63. Cost per disclosed record Adjust averages from reports on data breaches (e.g. Ponemon, IBM, Gartner) or pay for historical data (e.g. Advisen)
- 64. External data to be tailored Adjust significant variances between industries, geographies, organization sizes, and business models for your organization
- 65. Internal statistics • Budget vs. actual by project • Incident database • Fraud and social engineering db • Penetration testing findings • Malware logs
- 66. Internal statistics • KPIs for SLAs and outsorcing contracts • Ongoing due diligence results • Lost and early disposed IT assets • Maintenance analysis
- 67. Internal statistics • Data loss prevention logs • Help desk analysis on IT issues • API gateway protection logs
- 68. Risk management is a top demanded skill in cyber security
- 69. Risk management is a top demanded skill in cyber security
- 70. This session is dedicated to Stanislaw Ulam, John von Neumann, and Nicholas Metropolis which developed the Monte Carlo method
- 71. @hewyler /hernanwyler mydailyexecutive.blogspot.com
