SlideShare ist ein Scribd-Unternehmen logo

Neupart webinar 1: Four shortcuts to better risk assessments

Lars Neupart
Lars Neupart

At this webinar, you will learn how to perform risk assessments and risk analysis based on the most commonly used standards for information security. You will learn about ● Business Impact Assessments ● Vulnerability Assessments ● Threat Catalogues ● Risk Reporting ● Carrying out a risk assessment project ● Responsible shortcuts to better risk assessments Language: English For a full list of Neupart's webinars and other events visit www.neupart.com/events

Technologie
1 von 28
Downloaden Sie, um offline zu lesen
 Webinar:   4  shortcuts  to  professional  IT  risk  assessments   Presented  by  Lars  Neupart     Founder,  CEO  of  Neupart     Informa9on  Security  Management   LN@neupart.com   twiBer  @neupart    
About  Neupart   •  ISO  27001  certified  company.   •  Provides  SecureAware®,    an  all-­‐in-­‐one,  efficient  ISMS   solution  allowing  organizations  to  automate  IT   governance,  risk  and  compliance  management.     •  “The  ERP  of  Security”   •  HQ  in  Denmark,  subsidiary  in  Germany  and  a  200+   customer  portfolio  covering  a  wide  range  of  private   enterprises  and  governmental  agencies.     IT  GRC  =   IT  Governance,     Risk  &  Compliance   Management  
Program   Introduc9on   Business  Impact  Assessments   Threat  Catalogues   Vulnerability  Assessments   Carrying  out  a  risk  assessment  project   Summary  of  shortcuts  to  beBer  risk  assessments    
Selected  ISO  2700x  standards   ISO  27000   ISO27001   ISO27002   ISO  27003     • Overview  and   vocabulary   • Informa9on  Security   Management  Systems   –  Requirements   • Code  of  prac9ce  for   informa9on  security   management   • ISMS  Implementa9on   Guidelines   ISO  27004   ISO27005   ISO27006   • Informa9on  Security   Management  -­‐   Measurement     • Informa9on  Security   Risk  Management   • Requirements  for   bodies  providing  audit   and  cer9fica9on     +  +  +  +    
ISO  31000  Enterprise  Risk  Management   Plan   Do   Act   Check  
Comparing  ISO  27005,  NIST  SP800-­‐30     ISO  27005           Context  establishment       Identification  of  threats     NIST  SP800-­‐30 Identification  of  assets   System  Characterization     Threat  Identification   Identification  of  existing  controls Vulnerability  Identification Identification  of  vulnerabilities Control  Analysis   Identification  of  consequences       Assessment  of  consequences                 Likelihood  Determination   Assessment  of  incident  likelihood Impact  Analysis Risk  estimation Risk  Determination                     Risk  evaluation       Risk  acceptance   Risk  treatment     Control  Recommendations   Risk  communication       Results  Documentation
ISO  27005  is:   •  A  threat  based  risk   management  guidance   •  Considered  best  practice   •  Well  aligned  with  other   risk  frameworks   •  A  method  to  comply   with  ISO  27001  risk   management   requirements   ISO  27005  
Business  Impact  Assessment   ISO  27005:  Estimate  the  business  impact  from   breaches  on  CIA  (confidentiality,  integrity,  availability)     •  Financial  terms     –  Revenue,  cash  flow,  costs,  liabilities   •  Non-­‐financial  terms:   –  Image,  non-­‐compliance,  competitiveness,  service   level  
Example:  Business  Impact  Assessment   Example  from  SecureAware  
Threats  
Example:  Threat  Catalogue   Example  from  SecureAware  
Not  all  assets  burn   (hint:  link  your  threats  to  asset  types)   Example  from  SecureAware  
IT  Risk  Management  -­‐  Explained   Prioritization Reduce Likelihood Proactive Security Reduce Consequence IT Security Policy IT Service Continuity Teams Risk Compliance & Awareness Change Management Operating Procedures Access Control IT Service Continuity Strategy IT Service Continuity Plans Disaster Recovery Procedures Incident Emergency Operations Flexibility Consequence Incident Likelihood Monitoring System Redundancy Firewall Antivirus Reactive Security Preventive Measures Standby Equipment Virtualization Threat Effect Threat Frequency Threats Corrective Measures Backup
Vulnerability  &  control  environment  assessment   Preven9ve   Measures   Administra9ve   Measures   Physical  /  Technical   Measures   Correc9ve   Measures   Business   Security   Con9nuity   Policy   Compliance   Strategy   Checks   IT  Service   Monitoring   Con9nuity  Plan   Awareness   Logging   System   Disaster  Recovery   Change   Management   Documenta9on   Procedures   Standby   Standby  Site   Equipment  Backup/Restore   Alarm   Virtualiza9on   Redundancy   System   Server  snapshots   Access  Control   System   Fire   Server   Suppression   Clusters   Firewalls   An9virus   RAID   Assess  how  well  your   controls  addresses   relevant  threats   Recommenda9on:   Base  assessments  on  a   maturity  level  scale  
Example:  Vulnerability  Assessments   Example  from  SecureAware  
Assets:  Dependency  Hierarchy   Finance   Business  Impact  values   are  inherited  downwards     Business  Process ERP   IT  Service   Finance  DB   Database   Dynamics  AOS   Business  system   SAN  01   Data  Staorage   Server  01   Server  02   Virtual  Server   Virtual  Server   HP  DL380   HP  DL380   Hardware  unit   Hardware    unit   Data  Center  Oslo   Datacenter   Vulnerability  values   are  inherited  upwards  
Business  Processes  &  IT  Services   Business Process 1 Business Process 2 IT Services (on premise) IT Services from vendor, e.g. cloud Business  Impact  Scores   Inherits  Downwards   Vulnerability  Scores   Inherits  Upwards  
High  level  assesments   •  You  can  postpone  the  more   detailed  assessments  and   analysis.   •  Begin  at  the  top:   –  High  level  BIA  can  combine   different  impact  types  e.g.   revenue,  cost,  cashflow,   image  in  a  single  question.   –  High  level  vulnerability   assessments  can  combine   different  threats  in  a  single   question  
An  assessment  project  step-­‐by-­‐step   What  business   processes,  IT   Services,  etc.  to   include  (assets)?   Who  to  involve  in   the  assessments?   Perform   interviews  /   collect  data   Repor9ng  and   communica9on  
Risk  Management   Risk  Owner   (Assets)   Threats   Business  Impact   Assessment   •  Vulnerability  Assessment   •  Reporting  &  evaluating   •  Treating  (Accept,  Reduce,  Share,   •  •  •  •  Avoid)  
Keep  it  simple:   Risk  Management     =   Risk  Assessments     +     Risk  Treatment  
1:  Not  all  threats   2:  Inheritance   Do  not  use  complete   threat  catalogue  on   each  of  your  assets   (relevant  threats   depends  on  asset  type)   • Inheritance:  Business   impact  values  inherits   downwards   • Vulnerability  scores   inherits  upwards   • Asset  dependencies  /   Hierarchy   3:  Not  all  assets   Assess  your  most   important  assets  first     (you  can  add  more   later)   4:  High  level  first   • Make  overall   assessment  first  –   refine  later   • Example:  Assess   threats  combined  first   –  individually  later   Neuparts  4  responsible  short-­‐cuts.     PS!  They  also  apply  to  the  2013  edition  of  ISO  27001  J  
Ressources     •  White  papers  and  presentations  at  Neupart  blog     –  treatingrisk.blogspot.com     •  Educational  Webinars  and  SecureAware  Live  Demos  at  our   website:   –  neupart.com/events         •  SecureAware  ISMS  tool   –  www.neupart.com/products     –  ISO  27001  Policy  &  Compliance  Management  ,  IT  Risk  Management   –  Out  of  the  box  solution;  Free  trial  
INFORMATION SECURITY MANAGEMENT More  webinars:   Treating  Risks  -­‐    today  4pm  CET:     SecureAware  Live  Demo  –  tomorrow  2pm   neupart.com/events      
Asset  Management  
Your  best  and  worst  assets     Example  from  SecureAware  
Risk  Management  Projects   Example  from  SecureAware  
Key  features  summary  –  Risk  TNG   •  •  •  •  •  •  •  •  Business  impact  assessment     Vulnerability  assessment   Role  based  interviews   Flexible  asset  inventory  for  any  type  of  asset,  i.e.   business  processes,  IT  services,  and  their  relationships   Customizable  threat  catalogue     Risk  dash  boards  &  flexible  reporting  options   Risk  treatment  processes   API  

Empfohlen

How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?Lars Neupart
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001PECB
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4Obrina Candra, CISA, ISMS-LA
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)samsontamwaiho
 
Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014DQS Inc.
 
ISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guideISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guideVerde Ventures Pvt. Ltd.
 

Empfohlen

How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?Lars Neupart
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001PECB
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4Obrina Candra, CISA, ISMS-LA
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)samsontamwaiho
 
Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014DQS Inc.
 
ISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guideISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guideVerde Ventures Pvt. Ltd.
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business ValueHyTrust
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTGaffri Johnson
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certificationtschraider
 
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...himalya sharma
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicestschraider
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code ProtectionPerforce
 
CSA STAR Program
CSA STAR ProgramCSA STAR Program
CSA STAR ProgramSchellman & Company
 
ISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsManoj Vakekattil
 
Certified iso 27001 Lead Auditor - 5 days 14072021
Certified iso 27001 Lead Auditor - 5 days 14072021Certified iso 27001 Lead Auditor - 5 days 14072021
Certified iso 27001 Lead Auditor - 5 days 14072021Stratos Lazaridis
 
Security a Revenue Center: How Security Can Drive Your Business
Security a Revenue Center: How Security Can Drive Your BusinessSecurity a Revenue Center: How Security Can Drive Your Business
Security a Revenue Center: How Security Can Drive Your Businessshira koper
 
ISO CERTIFICATIONS
ISO CERTIFICATIONSISO CERTIFICATIONS
ISO CERTIFICATIONSBeingcert_Certifications
 
Select information security system 2015en
Select information security system 2015enSelect information security system 2015en
Select information security system 2015enIris Maaß
 
10 Benefits of Implementing ISO/IEC 20000 in an Organization
10 Benefits of Implementing ISO/IEC 20000 in an Organization10 Benefits of Implementing ISO/IEC 20000 in an Organization
10 Benefits of Implementing ISO/IEC 20000 in an OrganizationPECB
 
Popular Pitfalls in ISMS Compliance
Popular Pitfalls in ISMS CompliancePopular Pitfalls in ISMS Compliance
Popular Pitfalls in ISMS ComplianceRamkumar Ramachandran
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
Odoo, the perfect ERP for water utilities
Odoo, the perfect ERP for water utilitiesOdoo, the perfect ERP for water utilities
Odoo, the perfect ERP for water utilitiesVincent Laurent
 
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...KMD
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course PreviewInvensis Learning
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Visualizing BI technical cyber risks. Enterprise Risk and Security
Visualizing BI technical cyber risks. Enterprise Risk and SecurityVisualizing BI technical cyber risks. Enterprise Risk and Security
Visualizing BI technical cyber risks. Enterprise Risk and SecurityBiZZdesign
 

Weitere ähnliche Inhalte

Was ist angesagt?

Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business ValueHyTrust
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTGaffri Johnson
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certificationtschraider
 
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...himalya sharma
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicestschraider
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code ProtectionPerforce
 
ISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsManoj Vakekattil
 
Certified iso 27001 Lead Auditor - 5 days 14072021
Certified iso 27001 Lead Auditor - 5 days 14072021Certified iso 27001 Lead Auditor - 5 days 14072021
Certified iso 27001 Lead Auditor - 5 days 14072021Stratos Lazaridis
 
Security a Revenue Center: How Security Can Drive Your Business
Security a Revenue Center: How Security Can Drive Your BusinessSecurity a Revenue Center: How Security Can Drive Your Business
Security a Revenue Center: How Security Can Drive Your Businessshira koper
 
Select information security system 2015en
Select information security system 2015enSelect information security system 2015en
Select information security system 2015enIris Maaß
 
10 Benefits of Implementing ISO/IEC 20000 in an Organization
10 Benefits of Implementing ISO/IEC 20000 in an Organization10 Benefits of Implementing ISO/IEC 20000 in an Organization
10 Benefits of Implementing ISO/IEC 20000 in an OrganizationPECB
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
Odoo, the perfect ERP for water utilities
Odoo, the perfect ERP for water utilitiesOdoo, the perfect ERP for water utilities
Odoo, the perfect ERP for water utilitiesVincent Laurent
 

Was ist angesagt? (18)

Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business Value
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certification
 
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code Protection
 
CSA STAR Program
CSA STAR ProgramCSA STAR Program
CSA STAR Program
 
ISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and records
 
Certified iso 27001 Lead Auditor - 5 days 14072021
Certified iso 27001 Lead Auditor - 5 days 14072021Certified iso 27001 Lead Auditor - 5 days 14072021
Certified iso 27001 Lead Auditor - 5 days 14072021
 
Security a Revenue Center: How Security Can Drive Your Business
Security a Revenue Center: How Security Can Drive Your BusinessSecurity a Revenue Center: How Security Can Drive Your Business
Security a Revenue Center: How Security Can Drive Your Business
 
ISO CERTIFICATIONS
ISO CERTIFICATIONSISO CERTIFICATIONS
ISO CERTIFICATIONS
 
Select information security system 2015en
Select information security system 2015enSelect information security system 2015en
Select information security system 2015en
 
10 Benefits of Implementing ISO/IEC 20000 in an Organization
10 Benefits of Implementing ISO/IEC 20000 in an Organization10 Benefits of Implementing ISO/IEC 20000 in an Organization
10 Benefits of Implementing ISO/IEC 20000 in an Organization
 
Popular Pitfalls in ISMS Compliance
Popular Pitfalls in ISMS CompliancePopular Pitfalls in ISMS Compliance
Popular Pitfalls in ISMS Compliance
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
 
Odoo, the perfect ERP for water utilities
Odoo, the perfect ERP for water utilitiesOdoo, the perfect ERP for water utilities
Odoo, the perfect ERP for water utilities
 

Ähnlich wie Neupart webinar 1: Four shortcuts to better risk assessments

Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...KMD
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Visualizing BI technical cyber risks. Enterprise Risk and Security
Visualizing BI technical cyber risks. Enterprise Risk and SecurityVisualizing BI technical cyber risks. Enterprise Risk and Security
Visualizing BI technical cyber risks. Enterprise Risk and SecurityBiZZdesign
 
The Importance of Risk Management
The Importance of Risk ManagementThe Importance of Risk Management
The Importance of Risk ManagementVigilant Software
 
Maintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRiskMaintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRiskVigilant Software
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk ManagementAhmed Sayed-
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
Cyber Security and Cloud Security
Cyber Security and Cloud SecurityCyber Security and Cloud Security
Cyber Security and Cloud SecurityIT Governance Ltd
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
Maintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRiskMaintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRiskMichael Francis
 
The importance of information security risk management
The importance of information security risk managementThe importance of information security risk management
The importance of information security risk managementMichael Francis
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Decisions
 
Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesMuhammad Mudassar
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringEmma Kelly
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramTammy Clark
 

Ähnlich wie Neupart webinar 1: Four shortcuts to better risk assessments (20)

Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Visualizing BI technical cyber risks. Enterprise Risk and Security
Visualizing BI technical cyber risks. Enterprise Risk and SecurityVisualizing BI technical cyber risks. Enterprise Risk and Security
Visualizing BI technical cyber risks. Enterprise Risk and Security
 
The Importance of Risk Management
The Importance of Risk ManagementThe Importance of Risk Management
The Importance of Risk Management
 
Maintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRiskMaintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRisk
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk Management
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
 
Adaptive RiskPro
Adaptive RiskProAdaptive RiskPro
Adaptive RiskPro
 
Cyber Security and Cloud Security
Cyber Security and Cloud SecurityCyber Security and Cloud Security
Cyber Security and Cloud Security
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
ISV Net iq
ISV Net iqISV Net iq
ISV Net iq
 
Maintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRiskMaintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRisk
 
The importance of information security risk management
The importance of information security risk managementThe importance of information security risk management
The importance of information security risk management
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015
 
Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20Services
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls Monitoring
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 

Mehr von Lars Neupart

How the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementHow the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementLars Neupart
 
Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22
Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22
Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22Lars Neupart
 
Til ledelsen it-sikkerhed for forretningen
Til ledelsen it-sikkerhed for forretningen Til ledelsen it-sikkerhed for forretningen
Til ledelsen it-sikkerhed for forretningen Lars Neupart
 
Dansk It Neupart Cloud Sikkerhed Risikovurdering
Dansk It Neupart Cloud Sikkerhed RisikovurderingDansk It Neupart Cloud Sikkerhed Risikovurdering
Dansk It Neupart Cloud Sikkerhed RisikovurderingLars Neupart
 
Neupart Isaca April 2012
Neupart Isaca April 2012Neupart Isaca April 2012
Neupart Isaca April 2012Lars Neupart
 
Muligheder for sikker cloud computing
Muligheder for sikker cloud computingMuligheder for sikker cloud computing
Muligheder for sikker cloud computingLars Neupart
 
Tror du stadig du kan sige nej tak til Web 2.0 og skyen?
Tror du stadig du kan sige nej tak til Web 2.0 og skyen?Tror du stadig du kan sige nej tak til Web 2.0 og skyen?
Tror du stadig du kan sige nej tak til Web 2.0 og skyen?Lars Neupart
 

Mehr von Lars Neupart (7)

How the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementHow the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk Management
 
Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22
Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22
Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22
 
Til ledelsen it-sikkerhed for forretningen
Til ledelsen it-sikkerhed for forretningen Til ledelsen it-sikkerhed for forretningen
Til ledelsen it-sikkerhed for forretningen
 
Dansk It Neupart Cloud Sikkerhed Risikovurdering
Dansk It Neupart Cloud Sikkerhed RisikovurderingDansk It Neupart Cloud Sikkerhed Risikovurdering
Dansk It Neupart Cloud Sikkerhed Risikovurdering
 
Neupart Isaca April 2012
Neupart Isaca April 2012Neupart Isaca April 2012
Neupart Isaca April 2012
 
Muligheder for sikker cloud computing
Muligheder for sikker cloud computingMuligheder for sikker cloud computing
Muligheder for sikker cloud computing
 
Tror du stadig du kan sige nej tak til Web 2.0 og skyen?
Tror du stadig du kan sige nej tak til Web 2.0 og skyen?Tror du stadig du kan sige nej tak til Web 2.0 og skyen?
Tror du stadig du kan sige nej tak til Web 2.0 og skyen?
 

Kürzlich hochgeladen

Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 

Kürzlich hochgeladen (20)

Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 

Neupart webinar 1: Four shortcuts to better risk assessments

  • 1.  Webinar:   4  shortcuts  to  professional  IT  risk  assessments   Presented  by  Lars  Neupart     Founder,  CEO  of  Neupart     Informa9on  Security  Management   LN@neupart.com   twiBer  @neupart    
  • 2. About  Neupart   •  ISO  27001  certified  company.   •  Provides  SecureAware®,    an  all-­‐in-­‐one,  efficient  ISMS   solution  allowing  organizations  to  automate  IT   governance,  risk  and  compliance  management.     •  “The  ERP  of  Security”   •  HQ  in  Denmark,  subsidiary  in  Germany  and  a  200+   customer  portfolio  covering  a  wide  range  of  private   enterprises  and  governmental  agencies.     IT  GRC  =   IT  Governance,     Risk  &  Compliance   Management  
  • 3. Program   Introduc9on   Business  Impact  Assessments   Threat  Catalogues   Vulnerability  Assessments   Carrying  out  a  risk  assessment  project   Summary  of  shortcuts  to  beBer  risk  assessments    
  • 4. Selected  ISO  2700x  standards   ISO  27000   ISO27001   ISO27002   ISO  27003     • Overview  and   vocabulary   • Informa9on  Security   Management  Systems   –  Requirements   • Code  of  prac9ce  for   informa9on  security   management   • ISMS  Implementa9on   Guidelines   ISO  27004   ISO27005   ISO27006   • Informa9on  Security   Management  -­‐   Measurement     • Informa9on  Security   Risk  Management   • Requirements  for   bodies  providing  audit   and  cer9fica9on     +  +  +  +    
  • 5. ISO  31000  Enterprise  Risk  Management   Plan   Do   Act   Check  
  • 6. Comparing  ISO  27005,  NIST  SP800-­‐30     ISO  27005           Context  establishment       Identification  of  threats     NIST  SP800-­‐30 Identification  of  assets   System  Characterization     Threat  Identification   Identification  of  existing  controls Vulnerability  Identification Identification  of  vulnerabilities Control  Analysis   Identification  of  consequences       Assessment  of  consequences                 Likelihood  Determination   Assessment  of  incident  likelihood Impact  Analysis Risk  estimation Risk  Determination                     Risk  evaluation       Risk  acceptance   Risk  treatment     Control  Recommendations   Risk  communication       Results  Documentation
  • 7. ISO  27005  is:   •  A  threat  based  risk   management  guidance   •  Considered  best  practice   •  Well  aligned  with  other   risk  frameworks   •  A  method  to  comply   with  ISO  27001  risk   management   requirements   ISO  27005  
  • 8. Business  Impact  Assessment   ISO  27005:  Estimate  the  business  impact  from   breaches  on  CIA  (confidentiality,  integrity,  availability)     •  Financial  terms     –  Revenue,  cash  flow,  costs,  liabilities   •  Non-­‐financial  terms:   –  Image,  non-­‐compliance,  competitiveness,  service   level  
  • 9. Example:  Business  Impact  Assessment   Example  from  SecureAware  
  • 11. Example:  Threat  Catalogue   Example  from  SecureAware  
  • 12. Not  all  assets  burn   (hint:  link  your  threats  to  asset  types)   Example  from  SecureAware  
  • 13. IT  Risk  Management  -­‐  Explained   Prioritization Reduce Likelihood Proactive Security Reduce Consequence IT Security Policy IT Service Continuity Teams Risk Compliance & Awareness Change Management Operating Procedures Access Control IT Service Continuity Strategy IT Service Continuity Plans Disaster Recovery Procedures Incident Emergency Operations Flexibility Consequence Incident Likelihood Monitoring System Redundancy Firewall Antivirus Reactive Security Preventive Measures Standby Equipment Virtualization Threat Effect Threat Frequency Threats Corrective Measures Backup
  • 14. Vulnerability  &  control  environment  assessment   Preven9ve   Measures   Administra9ve   Measures   Physical  /  Technical   Measures   Correc9ve   Measures   Business   Security   Con9nuity   Policy   Compliance   Strategy   Checks   IT  Service   Monitoring   Con9nuity  Plan   Awareness   Logging   System   Disaster  Recovery   Change   Management   Documenta9on   Procedures   Standby   Standby  Site   Equipment  Backup/Restore   Alarm   Virtualiza9on   Redundancy   System   Server  snapshots   Access  Control   System   Fire   Server   Suppression   Clusters   Firewalls   An9virus   RAID   Assess  how  well  your   controls  addresses   relevant  threats   Recommenda9on:   Base  assessments  on  a   maturity  level  scale  
  • 15. Example:  Vulnerability  Assessments   Example  from  SecureAware  
  • 16. Assets:  Dependency  Hierarchy   Finance   Business  Impact  values   are  inherited  downwards     Business  Process ERP   IT  Service   Finance  DB   Database   Dynamics  AOS   Business  system   SAN  01   Data  Staorage   Server  01   Server  02   Virtual  Server   Virtual  Server   HP  DL380   HP  DL380   Hardware  unit   Hardware    unit   Data  Center  Oslo   Datacenter   Vulnerability  values   are  inherited  upwards  
  • 17. Business  Processes  &  IT  Services   Business Process 1 Business Process 2 IT Services (on premise) IT Services from vendor, e.g. cloud Business  Impact  Scores   Inherits  Downwards   Vulnerability  Scores   Inherits  Upwards  
  • 18. High  level  assesments   •  You  can  postpone  the  more   detailed  assessments  and   analysis.   •  Begin  at  the  top:   –  High  level  BIA  can  combine   different  impact  types  e.g.   revenue,  cost,  cashflow,   image  in  a  single  question.   –  High  level  vulnerability   assessments  can  combine   different  threats  in  a  single   question  
  • 19. An  assessment  project  step-­‐by-­‐step   What  business   processes,  IT   Services,  etc.  to   include  (assets)?   Who  to  involve  in   the  assessments?   Perform   interviews  /   collect  data   Repor9ng  and   communica9on  
  • 20. Risk  Management   Risk  Owner   (Assets)   Threats   Business  Impact   Assessment   •  Vulnerability  Assessment   •  Reporting  &  evaluating   •  Treating  (Accept,  Reduce,  Share,   •  •  •  •  Avoid)  
  • 21. Keep  it  simple:   Risk  Management     =   Risk  Assessments     +     Risk  Treatment  
  • 22. 1:  Not  all  threats   2:  Inheritance   Do  not  use  complete   threat  catalogue  on   each  of  your  assets   (relevant  threats   depends  on  asset  type)   • Inheritance:  Business   impact  values  inherits   downwards   • Vulnerability  scores   inherits  upwards   • Asset  dependencies  /   Hierarchy   3:  Not  all  assets   Assess  your  most   important  assets  first     (you  can  add  more   later)   4:  High  level  first   • Make  overall   assessment  first  –   refine  later   • Example:  Assess   threats  combined  first   –  individually  later   Neuparts  4  responsible  short-­‐cuts.     PS!  They  also  apply  to  the  2013  edition  of  ISO  27001  J  
  • 23. Ressources     •  White  papers  and  presentations  at  Neupart  blog     –  treatingrisk.blogspot.com     •  Educational  Webinars  and  SecureAware  Live  Demos  at  our   website:   –  neupart.com/events         •  SecureAware  ISMS  tool   –  www.neupart.com/products     –  ISO  27001  Policy  &  Compliance  Management  ,  IT  Risk  Management   –  Out  of  the  box  solution;  Free  trial  
  • 24. INFORMATION SECURITY MANAGEMENT More  webinars:   Treating  Risks  -­‐    today  4pm  CET:     SecureAware  Live  Demo  –  tomorrow  2pm   neupart.com/events      
  • 26. Your  best  and  worst  assets     Example  from  SecureAware  
  • 27. Risk  Management  Projects   Example  from  SecureAware  
  • 28. Key  features  summary  –  Risk  TNG   •  •  •  •  •  •  •  •  Business  impact  assessment     Vulnerability  assessment   Role  based  interviews   Flexible  asset  inventory  for  any  type  of  asset,  i.e.   business  processes,  IT  services,  and  their  relationships   Customizable  threat  catalogue     Risk  dash  boards  &  flexible  reporting  options   Risk  treatment  processes   API