Date post: | 19-Jan-2016 |
Category: |
Documents |
Upload: | benjamin-reynard-thornton |
View: | 215 times |
Download: | 0 times |
Risk assessmentRolf Sture Normann CISA, CRISC, 27001 Lead implementer
Secretary for information security in HE Norway, UNINETT
Risk assessment?
Identify wich assets we have and what can happens to them that have a negative impact on the informations
• Confidentiality
• Integrity
• Availability
Assess the risk – combination of impact and likelihood (asset value) for each event
Evaluate and treat the risk by implementing proper controls that reduce likelihood and/or impact the incident will cause
Bring the risk to a accepted level
Why do risk assessment?
Comply with regulations and laws
To keep a trust between the registrant and the registered
Quality
Know witch assests you have
Important part of the information security!
We do it every day…
What is our descision based on?..not documented and structured
Challenges
Time- and resource consuming
Need special knowledge or expensive consultant
Support from the management
Delivering services is more important than securing them?
Research report in Norway HE sector
http://complexserien.net/content/201404-styring-av-informasjonssikkerheten-i-universiteter-og-h%C3%B8yskoler
Important topics in white paper
As easy as possible (but not easyer)
Get started, dont wait until you think you have the perfect system
Risk assessment for endusers and highly technical personell
Practical
• Planning
• Leadership
• Workshop
• Do methods really matter
• Report
Risk treatment
Risk process in the ISMS
Improvement
Planned activities
SCOPE GoalSTRATEGI Organizing
Accept criteria
Requirements/guidelines
Risk assesment
Risk managementControls/SOA
TrainingAssets
Year plan for CISOCourse/training AuditsROS Security culture
Security audit
Incidents
Incidents
Top 10 incidents
Managements review
Corrective decisions / actions
Governance documents
Impl
emen
ting
docu
men
ts a
nd ta
sks
Controlling activities
Yearly report for managements
rewiew
Corrections
Status report from CISO
Risk assessments different level
The business
Process 1 Process 2 Process 3 Process 4
System 1 System 2 System 3 System 4 System 5 System 6 System 7 System 8
OverallRisk assessment
Risk assessment for business processes
Risk assessment for systems
Infrastructure
The business
Helicopterview
What is the «built in» risks in our sector
What kind of information do we have
Facilities
Regions
Business processes
Assessing a specific business process
Ex. The research and development process
Different participants on different stages
Business systems
Scope
Usage og the system
What information
End users or superusers
Technical staff/operations
Administrators
System n
User perspective
Technical perspective
ROS-workshop
Workshop to find what events can occure and theirs impact.
Not to many participants.
One person with experience in risk assessments should facilitate the workshop.
A secretary who takes notes of the events
Try to involve persons witch makes a representative of your organisations use of the system/process
To avoid invole people that should have been involved can makes «enemies»
Workshop-planning
The scope
Who should attend
Dont create «enemies»
All types of users
Create a preparing document
Can be an eye opener (awareness)
Workshop - the meeting
What are risk assessment
Participant are important
Discuss the provided examples
One should write down the incidents coming up
Try to find out when to end this part
Likelihood and impact
Risk matrix and the values
Acceptable criteria
How often?
Should be done on a regular basis
ROS should be done after each changes in the system or environements that can affect the information security
Once a thorough ROS is done it is more effecient to use the last assessment as a base it will become less timeconsuming
Risk treatment
After the ROS is done it is crucial to treat the newly discovered risks. A Risk treatmentplan should be made. There should be based on the policy for treating risk.
Methods
Reduce (Mitigate)
Accept
Transfer
Avoid
Risk should be treated until it is acceptable due to accept criteria set by the management
Risikomatrisen
Likelihood scale
Impact scale
Workshop results
The report
ISMS HE sector in Norway