At this webinar, you will learn how to perform risk assessments and risk analysis based on the most commonly used standards for information security. You will learn about
● Business Impact Assessments
● Vulnerability Assessments
● Threat Catalogues
● Risk Reporting
● Carrying out a risk assessment project
● Responsible shortcuts to better risk assessments
Language: English
For a full list of Neupart's webinars and other events visit www.neupart.com/events
Neupart webinar 1: Four shortcuts to better risk assessments
1. Webinar:
4
shortcuts
to
professional
IT
risk
assessments
Presented
by
Lars
Neupart
Founder,
CEO
of
Neupart
Informa9on
Security
Management
LN@neupart.com
twiBer
@neupart
2. About
Neupart
•
ISO
27001
certified
company.
•
Provides
SecureAware®,
an
all-‐in-‐one,
efficient
ISMS
solution
allowing
organizations
to
automate
IT
governance,
risk
and
compliance
management.
•
“The
ERP
of
Security”
•
HQ
in
Denmark,
subsidiary
in
Germany
and
a
200+
customer
portfolio
covering
a
wide
range
of
private
enterprises
and
governmental
agencies.
IT
GRC
=
IT
Governance,
Risk
&
Compliance
Management
3. Program
Introduc9on
Business
Impact
Assessments
Threat
Catalogues
Vulnerability
Assessments
Carrying
out
a
risk
assessment
project
Summary
of
shortcuts
to
beBer
risk
assessments
4. Selected
ISO
2700x
standards
ISO
27000
ISO27001
ISO27002
ISO
27003
• Overview
and
vocabulary
• Informa9on
Security
Management
Systems
–
Requirements
• Code
of
prac9ce
for
informa9on
security
management
• ISMS
Implementa9on
Guidelines
ISO
27004
ISO27005
ISO27006
• Informa9on
Security
Management
-‐
Measurement
• Informa9on
Security
Risk
Management
• Requirements
for
bodies
providing
audit
and
cer9fica9on
+
+
+
+
6. Comparing
ISO
27005,
NIST
SP800-‐30
ISO
27005
Context
establishment
Identification
of
threats
NIST
SP800-‐30
Identification
of
assets
System
Characterization
Threat
Identification
Identification
of
existing
controls
Vulnerability
Identification
Identification
of
vulnerabilities
Control
Analysis
Identification
of
consequences
Assessment
of
consequences
Likelihood
Determination
Assessment
of
incident
likelihood
Impact
Analysis
Risk
estimation
Risk
Determination
Risk
evaluation
Risk
acceptance
Risk
treatment
Control
Recommendations
Risk
communication
Results
Documentation
7. ISO
27005
is:
• A
threat
based
risk
management
guidance
• Considered
best
practice
• Well
aligned
with
other
risk
frameworks
• A
method
to
comply
with
ISO
27001
risk
management
requirements
ISO
27005
8. Business
Impact
Assessment
ISO
27005:
Estimate
the
business
impact
from
breaches
on
CIA
(confidentiality,
integrity,
availability)
• Financial
terms
– Revenue,
cash
flow,
costs,
liabilities
• Non-‐financial
terms:
– Image,
non-‐compliance,
competitiveness,
service
level
12. Not
all
assets
burn
(hint:
link
your
threats
to
asset
types)
Example
from
SecureAware
13. IT
Risk
Management
-‐
Explained
Prioritization
Reduce
Likelihood
Proactive
Security
Reduce
Consequence
IT Security Policy
IT Service Continuity Teams
Risk
Compliance & Awareness
Change Management
Operating Procedures
Access Control
IT Service Continuity Strategy
IT Service Continuity Plans
Disaster Recovery Procedures
Incident Emergency Operations
Flexibility
Consequence
Incident
Likelihood
Monitoring
System Redundancy
Firewall
Antivirus
Reactive
Security
Preventive
Measures
Standby Equipment
Virtualization
Threat
Effect
Threat
Frequency
Threats
Corrective
Measures
Backup
14. Vulnerability
&
control
environment
assessment
Preven9ve
Measures
Administra9ve
Measures
Physical
/
Technical
Measures
Correc9ve
Measures
Business
Security
Con9nuity
Policy
Compliance
Strategy
Checks
IT
Service
Monitoring
Con9nuity
Plan
Awareness
Logging
System
Disaster
Recovery
Change
Management
Documenta9on
Procedures
Standby
Standby
Site
Equipment
Backup/Restore
Alarm
Virtualiza9on
Redundancy
System
Server
snapshots
Access
Control
System
Fire
Server
Suppression
Clusters
Firewalls
An9virus
RAID
Assess
how
well
your
controls
addresses
relevant
threats
Recommenda9on:
Base
assessments
on
a
maturity
level
scale
16. Assets:
Dependency
Hierarchy
Finance
Business
Impact
values
are
inherited
downwards
Business
Process
ERP
IT
Service
Finance
DB
Database
Dynamics
AOS
Business
system
SAN
01
Data
Staorage
Server
01
Server
02
Virtual
Server
Virtual
Server
HP
DL380
HP
DL380
Hardware
unit
Hardware
unit
Data
Center
Oslo
Datacenter
Vulnerability
values
are
inherited
upwards
17. Business
Processes
&
IT
Services
Business Process
1
Business Process 2
IT Services
(on premise)
IT Services from
vendor, e.g.
cloud
Business
Impact
Scores
Inherits
Downwards
Vulnerability
Scores
Inherits
Upwards
18. High
level
assesments
• You
can
postpone
the
more
detailed
assessments
and
analysis.
• Begin
at
the
top:
– High
level
BIA
can
combine
different
impact
types
e.g.
revenue,
cost,
cashflow,
image
in
a
single
question.
– High
level
vulnerability
assessments
can
combine
different
threats
in
a
single
question
19. An
assessment
project
step-‐by-‐step
What
business
processes,
IT
Services,
etc.
to
include
(assets)?
Who
to
involve
in
the
assessments?
Perform
interviews
/
collect
data
Repor9ng
and
communica9on
22. 1:
Not
all
threats
2:
Inheritance
Do
not
use
complete
threat
catalogue
on
each
of
your
assets
(relevant
threats
depends
on
asset
type)
• Inheritance:
Business
impact
values
inherits
downwards
• Vulnerability
scores
inherits
upwards
• Asset
dependencies
/
Hierarchy
3:
Not
all
assets
Assess
your
most
important
assets
first
(you
can
add
more
later)
4:
High
level
first
• Make
overall
assessment
first
–
refine
later
• Example:
Assess
threats
combined
first
–
individually
later
Neuparts
4
responsible
short-‐cuts.
PS!
They
also
apply
to
the
2013
edition
of
ISO
27001
J
23. Ressources
• White
papers
and
presentations
at
Neupart
blog
–
treatingrisk.blogspot.com
• Educational
Webinars
and
SecureAware
Live
Demos
at
our
website:
–
neupart.com/events
• SecureAware
ISMS
tool
– www.neupart.com/products
– ISO
27001
Policy
&
Compliance
Management
,
IT
Risk
Management
– Out
of
the
box
solution;
Free
trial
28. Key
features
summary
–
Risk
TNG
•
•
•
•
•
•
•
•
Business
impact
assessment
Vulnerability
assessment
Role
based
interviews
Flexible
asset
inventory
for
any
type
of
asset,
i.e.
business
processes,
IT
services,
and
their
relationships
Customizable
threat
catalogue
Risk
dash
boards
&
flexible
reporting
options
Risk
treatment
processes
API