o The Problem / Complexity

o ISO 31000 / 27001 / 20000

o NIST SP 800-30 rev.1

o Risk Management

o Risk Modelling

o The System / Login / Menu

o Risk Assessment

o Subsystems / Connection

o Automation & Modelling

o User Management

o Internal Communication

o Documentation & Support

o Mitigation Strategy

o Filters & Colours

o Report Engine

o Document Management

o Risk Doc Templates

o Risk Monitoring

o Workflows

o Audit Management

o Reviews & Knowledge Mngt

o Risk Scenario

o Summary & Conclusion

Risk

Migrate, so it’s difficult to identify them

Grow fast suddenly

‘Hide’ due to limited physical oversight

As systems have become more complex, integrated and connected to third parties, risks are growing exponentially and

the security and control budget quickly reaches its limitations.

Risk Management – Principles and

Guidelines

Any type of risk, any type of industry

Guide for conducting Risk Assessments

USA Federal Information Systems &

Organizations

Security techniques – ISMS –

Requirements

IT Service Management - Requirements

ITIL - COBIT

Establishing Context

Risk Assessment

Risk identification

Risk analysis

Risk evaluation

Com

munic

ation &

Consultation

Monitoring &

Revie

w

Risk Treatment

Likelihood X Impact

5 categories used by Microsoft in the past. It

provides a mnemonic for risk rating security

threats.

Base, Temporal and Environmental

Metrics.

Open Web Application Security Project

4 risk categories x 4 factors/impacts

A user identifies an event as a

possible threat and opens a

ticket to the system.

He marks the record (priority field) as

“Urgent” and an automated

workflow sends a notification

email to the team.

In 5 minutes an engineer has

received the notification. He

examines the situation and

creates a risk record to the

system.

Multiple incidents are recorded

during the day from different

users and for different things.

Every manager sets the priorities for

the next period, assigning

activities to the members of

his/her team.

As he/she implements risk

assessments, or approve

mitigations, he always

watches to key metrics and

dashboard diagrams.

Periodically and just before the

external audits, he reviews all

risks that have to be reviewed,

he runs the report engine and

conducts the risk assessment

and treatment report.

2 times per year, top management

reviews all the statistics and

kpi’s.

Especially, they want to know the

most important things that

happened and if the Targets

are met.

• Evolving systems require good risk management

• All members should collaborate during this process

• Ideally, IT tools should be used for efficiency and

compliance

We are trying our best!

1 str. Artis, Athens, GR

www.osys.gr

info@osys.gr

30 210 97 62 600

www.facebook.com/osys.gr

@omicronsystems

Yiannis Issaris - Omicron Systems

3rd CryCybIW