SlideShare ist ein Scribd-Unternehmen logo

ISO 27005 Risk Assessment

S
Smart Assessment

What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.

TechnologieBusinessWirtschaft & Finanzen
1 von 25
Downloaden Sie, um offline zu lesen
Risk Assessment as per ISO 27005 Presented by Dharshan Shanthamurthy, Risk Assessment Evangelist  WWW.SMART‐RA.COM SMART‐RA.COM is a patent pending product of SISA Information Security Pvt. Ltd.
What is Risk Assessment? What is Risk Assessment? • NIST SP 800‐30 Risk Assessment is the analysis of threats in conjunction with  vulnerabilities and existing controls. l biliti d i ti t l • OCTAVE A Risk Assessment will provide information needed to make  risk management decisions regarding the degree of security  remediation.  remediation • ISO 27005  Risk Assessment = Identification, Estimation and  Risk Assessment Identification Estimation and Evaluation
Why Risk Assessment? Regulatory Compliance Compliance  Risk Assessment Requirement Standard St d d PCI DSS  Formal and structured risk assessment based on methodologies like ISO 27005,  Requirement  NIST SP 800‐30, OCTAVE, etc. 12.1.2  12 1 2 HIPAA Section  Conduct an accurate and thorough assessment of the potential risks and  164.308(a)(1)  vulnerabilities to the confidentiality, integrity, and availability of electronic  protected health information held by the covered entity. protected health information held by the covered entity FISMA 3544 Periodic testing and evaluation of the effectiveness of information security  policies, procedures, and practices, to be performed at least annually. ISO 27001 Clause  Risk assessments should identify risks against risk acceptance criteria and  4.1 organizational objectives. Risk assessments should also be performed  periodically to address changes in the security requirements and in the risk  situation. GLBA, SOX, FISMA, Data Protection Act, IT Act Amendment 2008, Privacy Act, HITRUST……
Why Risk Assessment? y Business Rationale Function Explanation Return on  Structured RA Methodology follows a systematic and pre‐defined  Investment approach, minimizes the scope of human error, and emphasizes  process driven, rather than human driven activities. process driven rather than human driven activities Budget Allocation Assists in controls cost planning and justification Controls  Cost and effort optimization by optimizing controls selection and  implementation Efficient  Resource optimization by appropriate delegation of actions related to  utilization of  utilization of controls implementation. controls implementation resources
What is IS-RA? IS RA? Risk assessment is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of an organization's security profile – its strengths and weaknesses its vulnerabilities weaknesses, and exposures. “IF YOU CAN’T MEASURE IT …YOU CAN’T MANAGE IT!” YOU
Reality Check Reality Check • ISRA– a need more than a want • Each organization has their own ISRA  Each organization has their own ISRA • ISRA learning curve • Cumbersome – 1000 assets, 20 worksheets • Two months efforts  Two months efforts • Complicated report
Exercise • Threat Scenarios • Threat Profiles to be filled. Threat Profiles to be filled.
Risk Assessment reference points • OCTAVE • NIST SP 800‐30 • ISO 27005 • COSO • Risk IT • ISO 31000 • AS/NZS 4360 • FRAP • FTA • MEHARI
ISO 27005 Introduction ISO 27005 Introduction • ISO 27005 i ISO 27005 is an Information Security Risk Management guideline. I f ti S it Ri k M t id li • Lays emphasis on the ISMS concept of ISO 27001: 2005. • Drafted and published by the International Organization for  Standardization (ISO) and the International Electrotechnical Standardization (ISO) and the International Electrotechnical Commission (IEC) • Provides a RA guideline and does not recommend any RA Provides a RA guideline and does not recommend any RA  methodologies. • Applicable to organizations of all types. f
ISO 27005 Workflow ISO 27005 Workflow • Advocates an iterative approach  pp to risk assessment • Aims at balancing time and Aims at balancing time and  effort with controls efficiency in  mitigating high risks • Proposes the Plan‐Do‐Check‐Act  cycle. Source: ISO 27005 Standard
ISO 27005 Risk Assessment ISO 27005 Risk Assessment Information Security Risk Assessment = Risk Analysis +  I f i S i Ri k A Ri k A l i Risk Evaluation Risk Analysis: Risk Analysis: Risk Analysis = Risk Identification + Risk Estimation 1. Risk Identification Risk characterized in terms of organizational conditions Risk characterized in terms of organizational conditions • Identification of Assets: Assets within the defined scope • Identification of Threats: Based on Incident Reviewing, Asset  Owners, Asset Users, External threats, etc.
ISO 27005 Risk Assessment Contd. ISO 27005 Risk Assessment Contd. • Identification of Existing Controls: Also check if the controls are working Identification of Existing Controls: Also check if the controls are working  correctly.  • Identification of Vulnerabilities: Vulnerabilities are shortlisted in  organizational processes, IT, personnel, etc. • Identification of Consequences: The impact of loss of CIA of assets. 2. Risk Estimation – Specifies the measure of risk. • Qualitative Estimation Qualitative Estimation • Quantitative Estimation Risk Evaluation: Risk Evaluation: • Compares and prioritizes Risk Level based on Risk Evaluation Criteria and Risk  Acceptance Criteria.
ISO 27005 RA Workflow Step 1 Step 2 Step 3 Step 4 General  General Risk Analysis:  Risk Analysis: Description of  Risk Analysis:  Risk  Risk Evaluation ISRA Risk Estimation Identification
Step 1 General  Risk Analysis: Risk  Risk Analysis: Risk Risk Analysis: Risk  Risk Analysis Risk Description of  Identification Estimation Risk Evaluation ISRA 1. General Description of ISRA Identify, Describe  d f b Assessed risks  d ik Basic Criteria  (quantitatively or  prioritized according to  Scope and Boundaries qualitatively) and  Risk Evaluation  Organization for ISRM g Prioritize Risks P i iti Ri k Criteria. C it i
Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Assets Scope and Boundaries S d d i List of Assets. Asset owners Assets are defined List of associated Asset Location business processes. p Asset function A t f ti
Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Threats Threat Information  Threat Information from  • Threats • Review of Incidents Threats are defined • Threat source • Asset Owners • Threat type yp • Asset Users, etc.
Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Existing Controls • Existing and Existing and  • Documentation of  planned controls Existing and planned  controls • Implementation  controls are defined • RTP status • Usage status
Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Vulnerabilities • Vulnerabilities related Vulnerabilities related  • Identified Assets d ifi d to assets, threats,  • Identified Threats Vulnerabilities are  controls. • Identified Existing  identified • Vulnerabilities not  Controls C t l related to any threat.
Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Consequences • Incident scenarios Incident scenarios  • Assets and business  db i with their  processes The impact of the loss  consequences related  • Threats and  of CIA is identified to assets and  vulnerabilities l biliti business processes
Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Risk Estimation Methodologies (a) Qualitative Estimation: High, Medium, Low ( ) Q lit ti E ti ti Hi h M di L ( ) (b) Quantitative Estimation: $, hours, etc. 
Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Assessment of consequences • Assets and business Assets and business  Assessed consequences  Assessed consequences The business impact  h b processes of an incident scenario  from information • Threats and  expressed in terms of  security incidents is  vulnerabilities p assets and impact  assessed. d • Incident scenarios criteria.
Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Level of Risk Estimation • Incident scenarios  with their  Level of risk is  l f k consequences  estimated for all  List of risks with value  • Their likelihood  relevant incident  levels assigned. (quantitative or  scenarios i qualitative).
Step 4 General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk Risk Analysis: Risk  Risk Analysis: Risk Risk  Risk of ISRA Identification Estimation Evaluation 4.  Risk Analysis: Risk Estimation Level of Risk Estimation Risks prioritized  Risks prioritized Level of risk is  l f k • Risks with value levels  according to risk  compared against risk  assigned and risk  evaluation criteria in  evaluation criteria and  evaluation criteria.  relation to the incident  risk acceptance criteria ik t it i scenarios.
Summary • Keep it Simple and Systematic • Comprehensive • Risk sensitive culture in the organization. • Drive security from a risk management  p p perspective, rather only a compliance  , y p perspective. • H l RA t h l Help RA to help you…
Questions? Be a Risk Assessment Evangelist! Be a Risk Assessment Evangelist! IS‐RA Forum on Linkedin SMART‐RA Forum on Linkedin SMART RA Forum on Linkedin Dharshan Shanthamurthy, E‐mail: dharshan.shanthamurthy@sisa.in  y Phone: +91‐99451 22551

Empfohlen

ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1Denise Tawwab
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseMart Rovers
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 

Empfohlen

ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1Denise Tawwab
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseMart Rovers
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 BenefitsDejan Kosutic
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil1
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course PreviewInvensis Learning
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSReza Teynia ISMS, ITSM, MSc
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Erm
ErmErm
ErmPankaj Kumar Kar
 
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012Ahmed Al Enizi
 

Weitere ähnliche Inhalte

Was ist angesagt?

NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil1
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 

Was ist angesagt? (20)

NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdf
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSISMS implementation challenges-KASYS
ISMS implementation challenges-KASYS
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 Standard
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 

Ähnlich wie ISO 27005 Risk Assessment

Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012Ahmed Al Enizi
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Smart Assessment
 
Risk management intruduction part 2
Risk management intruduction part 2Risk management intruduction part 2
Risk management intruduction part 2MEEQAT HOSPITAL
 
Information Security in the Gaming World
Information Security in the Gaming WorldInformation Security in the Gaming World
Information Security in the Gaming WorldDimitrios Stergiou
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management OverviewJIGNESH PADIA
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentationmmagario
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012Global Risk Forum GRFDavos
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis"Apolonio \"Apps\"" Garcia
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and RemediationCarahsoft
 
Risk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadRisk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadIvanti
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 

Ähnlich wie ISO 27005 Risk Assessment (20)

Erm
ErmErm
Erm
 
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
 
NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012
 
Risk management intruduction part 2
Risk management intruduction part 2Risk management intruduction part 2
Risk management intruduction part 2
 
Information Security in the Gaming World
Information Security in the Gaming WorldInformation Security in the Gaming World
Information Security in the Gaming World
 
Presentation qrm shc
Presentation qrm shcPresentation qrm shc
Presentation qrm shc
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management Overview
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentation
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
Erm public workshop
Erm public workshopErm public workshop
Erm public workshop
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
 
Risk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadRisk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone Mad
 
Rsc 05
Rsc 05Rsc 05
Rsc 05
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 

Kürzlich hochgeladen

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 

Kürzlich hochgeladen (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 

ISO 27005 Risk Assessment

  • 1. Risk Assessment as per ISO 27005 Presented by Dharshan Shanthamurthy, Risk Assessment Evangelist  WWW.SMART‐RA.COM SMART‐RA.COM is a patent pending product of SISA Information Security Pvt. Ltd.
  • 2. What is Risk Assessment? What is Risk Assessment? • NIST SP 800‐30 Risk Assessment is the analysis of threats in conjunction with  vulnerabilities and existing controls. l biliti d i ti t l • OCTAVE A Risk Assessment will provide information needed to make  risk management decisions regarding the degree of security  remediation.  remediation • ISO 27005  Risk Assessment = Identification, Estimation and  Risk Assessment Identification Estimation and Evaluation
  • 3. Why Risk Assessment? Regulatory Compliance Compliance  Risk Assessment Requirement Standard St d d PCI DSS  Formal and structured risk assessment based on methodologies like ISO 27005,  Requirement  NIST SP 800‐30, OCTAVE, etc. 12.1.2  12 1 2 HIPAA Section  Conduct an accurate and thorough assessment of the potential risks and  164.308(a)(1)  vulnerabilities to the confidentiality, integrity, and availability of electronic  protected health information held by the covered entity. protected health information held by the covered entity FISMA 3544 Periodic testing and evaluation of the effectiveness of information security  policies, procedures, and practices, to be performed at least annually. ISO 27001 Clause  Risk assessments should identify risks against risk acceptance criteria and  4.1 organizational objectives. Risk assessments should also be performed  periodically to address changes in the security requirements and in the risk  situation. GLBA, SOX, FISMA, Data Protection Act, IT Act Amendment 2008, Privacy Act, HITRUST……
  • 4. Why Risk Assessment? y Business Rationale Function Explanation Return on  Structured RA Methodology follows a systematic and pre‐defined  Investment approach, minimizes the scope of human error, and emphasizes  process driven, rather than human driven activities. process driven rather than human driven activities Budget Allocation Assists in controls cost planning and justification Controls  Cost and effort optimization by optimizing controls selection and  implementation Efficient  Resource optimization by appropriate delegation of actions related to  utilization of  utilization of controls implementation. controls implementation resources
  • 5. What is IS-RA? IS RA? Risk assessment is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of an organization's security profile – its strengths and weaknesses its vulnerabilities weaknesses, and exposures. “IF YOU CAN’T MEASURE IT …YOU CAN’T MANAGE IT!” YOU
  • 6. Reality Check Reality Check • ISRA– a need more than a want • Each organization has their own ISRA  Each organization has their own ISRA • ISRA learning curve • Cumbersome – 1000 assets, 20 worksheets • Two months efforts  Two months efforts • Complicated report
  • 7. Exercise • Threat Scenarios • Threat Profiles to be filled. Threat Profiles to be filled.
  • 8. Risk Assessment reference points • OCTAVE • NIST SP 800‐30 • ISO 27005 • COSO • Risk IT • ISO 31000 • AS/NZS 4360 • FRAP • FTA • MEHARI
  • 9. ISO 27005 Introduction ISO 27005 Introduction • ISO 27005 i ISO 27005 is an Information Security Risk Management guideline. I f ti S it Ri k M t id li • Lays emphasis on the ISMS concept of ISO 27001: 2005. • Drafted and published by the International Organization for  Standardization (ISO) and the International Electrotechnical Standardization (ISO) and the International Electrotechnical Commission (IEC) • Provides a RA guideline and does not recommend any RA Provides a RA guideline and does not recommend any RA  methodologies. • Applicable to organizations of all types. f
  • 10. ISO 27005 Workflow ISO 27005 Workflow • Advocates an iterative approach  pp to risk assessment • Aims at balancing time and Aims at balancing time and  effort with controls efficiency in  mitigating high risks • Proposes the Plan‐Do‐Check‐Act  cycle. Source: ISO 27005 Standard
  • 11. ISO 27005 Risk Assessment ISO 27005 Risk Assessment Information Security Risk Assessment = Risk Analysis +  I f i S i Ri k A Ri k A l i Risk Evaluation Risk Analysis: Risk Analysis: Risk Analysis = Risk Identification + Risk Estimation 1. Risk Identification Risk characterized in terms of organizational conditions Risk characterized in terms of organizational conditions • Identification of Assets: Assets within the defined scope • Identification of Threats: Based on Incident Reviewing, Asset  Owners, Asset Users, External threats, etc.
  • 12. ISO 27005 Risk Assessment Contd. ISO 27005 Risk Assessment Contd. • Identification of Existing Controls: Also check if the controls are working Identification of Existing Controls: Also check if the controls are working  correctly.  • Identification of Vulnerabilities: Vulnerabilities are shortlisted in  organizational processes, IT, personnel, etc. • Identification of Consequences: The impact of loss of CIA of assets. 2. Risk Estimation – Specifies the measure of risk. • Qualitative Estimation Qualitative Estimation • Quantitative Estimation Risk Evaluation: Risk Evaluation: • Compares and prioritizes Risk Level based on Risk Evaluation Criteria and Risk  Acceptance Criteria.
  • 13. ISO 27005 RA Workflow Step 1 Step 2 Step 3 Step 4 General  General Risk Analysis:  Risk Analysis: Description of  Risk Analysis:  Risk  Risk Evaluation ISRA Risk Estimation Identification
  • 14. Step 1 General  Risk Analysis: Risk  Risk Analysis: Risk Risk Analysis: Risk  Risk Analysis Risk Description of  Identification Estimation Risk Evaluation ISRA 1. General Description of ISRA Identify, Describe  d f b Assessed risks  d ik Basic Criteria  (quantitatively or  prioritized according to  Scope and Boundaries qualitatively) and  Risk Evaluation  Organization for ISRM g Prioritize Risks P i iti Ri k Criteria. C it i
  • 15. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Assets Scope and Boundaries S d d i List of Assets. Asset owners Assets are defined List of associated Asset Location business processes. p Asset function A t f ti
  • 16. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Threats Threat Information  Threat Information from  • Threats • Review of Incidents Threats are defined • Threat source • Asset Owners • Threat type yp • Asset Users, etc.
  • 17. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Existing Controls • Existing and Existing and  • Documentation of  planned controls Existing and planned  controls • Implementation  controls are defined • RTP status • Usage status
  • 18. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Vulnerabilities • Vulnerabilities related Vulnerabilities related  • Identified Assets d ifi d to assets, threats,  • Identified Threats Vulnerabilities are  controls. • Identified Existing  identified • Vulnerabilities not  Controls C t l related to any threat.
  • 19. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Consequences • Incident scenarios Incident scenarios  • Assets and business  db i with their  processes The impact of the loss  consequences related  • Threats and  of CIA is identified to assets and  vulnerabilities l biliti business processes
  • 20. Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Risk Estimation Methodologies (a) Qualitative Estimation: High, Medium, Low ( ) Q lit ti E ti ti Hi h M di L ( ) (b) Quantitative Estimation: $, hours, etc. 
  • 21. Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Assessment of consequences • Assets and business Assets and business  Assessed consequences  Assessed consequences The business impact  h b processes of an incident scenario  from information • Threats and  expressed in terms of  security incidents is  vulnerabilities p assets and impact  assessed. d • Incident scenarios criteria.
  • 22. Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Level of Risk Estimation • Incident scenarios  with their  Level of risk is  l f k consequences  estimated for all  List of risks with value  • Their likelihood  relevant incident  levels assigned. (quantitative or  scenarios i qualitative).
  • 23. Step 4 General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk Risk Analysis: Risk  Risk Analysis: Risk Risk  Risk of ISRA Identification Estimation Evaluation 4.  Risk Analysis: Risk Estimation Level of Risk Estimation Risks prioritized  Risks prioritized Level of risk is  l f k • Risks with value levels  according to risk  compared against risk  assigned and risk  evaluation criteria in  evaluation criteria and  evaluation criteria.  relation to the incident  risk acceptance criteria ik t it i scenarios.
  • 24. Summary • Keep it Simple and Systematic • Comprehensive • Risk sensitive culture in the organization. • Drive security from a risk management  p p perspective, rather only a compliance  , y p perspective. • H l RA t h l Help RA to help you…
  • 25. Questions? Be a Risk Assessment Evangelist! Be a Risk Assessment Evangelist! IS‐RA Forum on Linkedin SMART‐RA Forum on Linkedin SMART RA Forum on Linkedin Dharshan Shanthamurthy, E‐mail: dharshan.shanthamurthy@sisa.in  y Phone: +91‐99451 22551