Risk Management Overview

www.intertek.com1Issue 2 © Intertek QATAR www.intertek.com 1

Risk Management

www.intertek.com1

Risk Management

Issue 2 © Intertek QATAR www.intertek.com 1

LET US SEE WHAT IS


Risk Management

www.intertek.com2

Risk Management


Information Security RisksInformation Security RisksCONFIDENTIALITY RisksINTEGRITY RisksAVAILABILITY RisksBusiness Continuity RisksBusiness Continuity RisksHealth & Safety RisksProduct RisksProcess RisksInformation Security RisksEnvironmental RisksProcess RisksFinancial RisksFood Safety RisksLogistic RisksAccounting RisksCapacity RisksCompetency RisksEtc.

STOCK MARKET INSURANCE CATOSTROPHIES PRODUCT PROCESSESHUMAN

DEPENDANCY

LOGISTICS LEGAL INDUSTRYSTANDARDS & ACCEPTANCE

CRITERIA

PRINCIPLES / VISION /

POLICIES / STRATEFIES

IT

COMPETITORS NEIGHBOURS PRESSURE GROUPS

TRANSPARANCY CULTURE COMPETENCY

EXTERNAL FACTORS INTERNAL FACTORS


Risk Management

www.intertek.com3

Risk Management



Risk Management

www.intertek.com4

Risk Management


A Tyre company designs a tyre which has following features, based on market research to capture the market (market share from 40% TO 75%) :

Long Lasting – 2 million milesAny Terrain - Desert & Rocky 100% Air Tight

Result in one yearcaptures the market (market share increased from 40% To 85% - more than targetted)

BUTBUT

New sales went down New sales went down as there was no need as there was no need for customers to invest for customers to invest in new tyresin new tyres

So both Risks (+ve & -ve ) be identified in Risk Assessment

Positive Risks (Opportunities)


Risk Management


RISK MANAGEMENT LIFE CYCLE


Risk Management



Risk Management


Risk Governance


Risk Management


>

RISK BASED THINING (RISK MANAGEMENT) & CORRECTIVE ACTIONS REQUIRE

BIGGER VISION

Importance of Vision


Risk Management


ENTERPRISE RISK MANAGEMENT


Risk Management

www.intertek.com10Issue 1 © Intertek QATAR www.intertek.com

Information Security OverviewInformation Security Overview

Scenario 1

Occurrence CHANGES Occurrence CHANGES

but

Impact is SAMEImpact is SAME

Scenario 2

Impact CHANGES Impact CHANGES

but

Occurrence isOccurrence is SAMESAME

THERE ARE TWO SCENARIOS OF RISK

Scenarios of Risk


Risk Management



11

Probability of falling is LOWProbability of falling is HIGH

Risk of Failure = Probability of Occurrence X Severity of the ImpactRisk of Failure = Probability of Occurrence X Severity of the Impact

Scenario 1 = Probability of Occurrence CHANGES but Impact is SAME


Risk Management



Impact is LESS if speed is LESS @ 10k/ hr Impact is HIGH if speed is HIGH @ 150 km / hr

Scenario 2 = Impact CHANGES but Probability of Occurrence is SAME

Risk of Failure = Probability of Occurrence X Severity of the ImpactRisk of Failure = Probability of Occurrence X Severity of the Impact


Risk Management

13

0.3 Selecting controls Controls can be selected from this standard or from other control sets, or new controls can be designed to meet specific needs as appropriate. The selection of controls is dependent upon organizational decisions based on the criteria for risk acceptance, risk treatment options and the general risk management approach applied to the organization, and should also be subject to all relevant national and international legislation and regulations. Control selection also depends on the manner in which controls interact to provide defence in depth. Some of the controls in this standard can be considered as guiding principles for information security management and applicable for most organizations. The controls are explained in more detail below along with implementation guidance. More information about selecting controls and other risk treatment options can be found in ISO/IEC 27005.[11]

RISK MITIGATION IN INFORMATION SECURITY


Risk Management


Logical Flow of Risk Assessment in ISMS

1. Identification of Vulnerability for Information Risk of C, I & A

2. Identification of Existing Controls (if any already there) for Information Risk of C, I & A

3. Performing the Risk Evaluation to understand the level of existing risk ( Example > High / Medium / Low) - of C, I & A

4. Deciding if this is acceptable or requires further treatment to reduce the risk of C, I & A5. Deciding treatment from Annexure A Controls / Newly designed Control to reduce the risk of C, I & A

6. Analysing the Controls effective and Approving Residual Risks of C, I & A

So we do Risk Evaluation twice - one after existing controls and one after new controls to understand the level of risk reduction of C, I & A


Risk Management

www.intertek.com15

Risk Management


RISK MITIGATION IN BCMS


Risk Management

www.intertek.com16

Risk Management


Logical Flow of Risk Assessment in BCMS

1. Identification of Vulnerability for Information Risk of C, I & A

2. Identification of Existing Controls (if any already there) for BC Plans

3. Performing the Risk Evaluation to understand the level of existing risk ( Example > High / Medium / Low) - of BC

4. Deciding if this is acceptable or requires further treatment to reduce the risk of BC5. Deciding treatment from Annexure A Controls / Newly designed Control to reduce the risk of BC

6. Analysing the Controls effective and Approving Residual Risks of BC

So we do Risk Evaluation twice - one after existing controls and one after new controls to understand the level of risk reduction in BCMS


Risk Management


RIS

K L

EVEL

HIGH

/

71 - 100

Medium

/

41 - 70

Low

/

1 - 40

RISK MITIGATION ( Risk Reduction )

Risk Mitigation – Implemeting Controls for Risk

Reduction

No matter which ever controls implemented, following are the facts:1. Shall definitely bring down the risk of C, I & A – till the time control is effective;2. What ever control – risk cannot be brought to ZERO – can only reduce the risk; 3. In IT, controls can reduce the “PROBABILITY” only;4. Residual risks shall always be there – one must remember 24x7;

NO CONTROL CAN BRING ANY RISK TO ZERO LEVEL SHALL ALWAYS HAVE RESIDUAL RISK


Risk Management


Risk Evaluation Methodologies (samples only)


Risk Management


STEP 1 = Identifying the Potential Causes + % of Impact on business + Current

Risk Level (considering existing controls)IDENTIFICATION OF THREATS AND

VULNERABILITIES FOR RISKS

CONSIDER THE EXISTING

CONTROS AS CURRENT

BASELINE

ISMS RISK ASSESSMENT

RISK EVALUATION 1 – IMPACTS ON

CONFIDENTIALITY , INTEGRITY AND AVAILABILITY

CURRENT RISK

LEVEL


Risk Management


NEW CONTROLS – RISK MITIGATION PLANS

OVERALL RESIDUAL RISKS

Stage 2 = Plan the actions / controls to reduce the risks and

calculate RPN again to demonstrate

reduction of the identified risks and also record the residual risks.

ISMS RISK ASSESSMENT

MEW RISK

LEVEL

NEW BASELINE

RESIDUAL RISKS OF CONFIDENTIALITY, INTEGRITY & AVAILABILITY


Risk Management


STATEMENT OF APPLICABILITY[ SOA ]

SOA IS A STATEMENT CONTAINING

The list of controls used in the Risk Assessment – with JUSTIFICATIONS for INCLUSIONS The list of controls not used in the Risk Assessment – with JUSTIFICATIONS for NON-INCLUSIONS

BEST PRACTICE

1. The SOA and RA have to be considered as Synchronized Cis (CI = Configuration Item)

Synchronized CI = VERSION OF SOA AND RA BE SAME > EVERY CHANGE ONCE DONE IN RA , SOA BE REVIEWED AND VERSION OF SOA BE UPGRADED = SAME AS THAT OF RA


Risk Management


Applicable

Cross reference/

YES / NOIn Risk Assessment

A.6.2.1Mobile device policy YES

To ensure that confidentialinformation is not carriedoutside through laptopcomputers & cellphones

Risk Number 43

A.12.1.4

Separation of development, testing environments

NODocument Bank is involved onlyin operational activities such asscanning and storage etc.

Not Applicable

Control Number

Control Objectives/ Controls

Justification

SAMPLE


Risk Management

NEW CONTROLS – RISK MITIGATION PLANS FROM RISK ASSESSMENT

BUSINESS CONTINUITY PLANS


Risk Management


Incident Incident


Risk Management


Who was involved?Who has to be informed about the incident ?Who will inform?

Where Impacted?

Was it a Product Design Fault / Process Failure ?

When? When did the Incident occur?

Who?

STEP 1 > RECORD THE INCIDENT

INCIDENT MANAGEMENT – RISK VALIDATION & CORRECTIVE ACTIONS

STEP 2 > IDENTIFY THE CAUSES OF THE INCIDENT

http://www.google.co.in/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://asq.org/service/body-of-knowledge/tools-fishbone&ei=hnVdVbngNc_18QWz54HAAg&bvm=bv.93756505,d.dGc&psig=AFQjCNGNY6JA0Xk0inKBbp4_U3vWCxwozA&ust=1432274652853101


Risk Management


Incident > Product Withdrawal and Product Recall

Mattel recalls 1.5 million toys:

http://www.youtube.com/watch?v=NlsvfXAQ5v8&

feature=fvw

Lead contamination – Toxic levels of Lead pain

lawsuit:

http://www.youtube.com/watch?v=3DL4dleEz7I

http://www.youtube.com/watch?v=NlsvfXAQ5v8&feature=fvw

http://www.youtube.com/watch?v=NlsvfXAQ5v8&feature=fvw

http://www.youtube.com/watch?v=3DL4dleEz7I


Risk Management


The 2009 Toyota 9 Million Car Recall

Toyota Motor Corp. recalled approximately 9 million vehicles in the United States, which was the company’s

largest-ever U.S. recall. The purpose of the recall was to address quality assurance and quality control

problems with a removable floor mat that could cause accelerators to get stuck and potentially lead to a crash.

(Source: Toyota recalls 3.8 million vehicles, MSNBC.com)

Toyota, which up until that point prided itself on its quality practices, had made the decision in the 1990's to put a

greater emphasis on growth. They failed to adhere to the quality principle of employee involvement, as there was

less employee engagement and sharing of best practices. While the CEO was proactive about cancelling the

sales and productions of the recalled models, 52 people lost their lives as a result of motor vehicle crashes

Incident > Product Withdrawal and Product Recall


Risk Management


PROPOSED CONTROLS IN RISK ASSESSMENT AFTER INCIDENT

DOES THIS NEW DOES THIS NEW CONTROL(S) CONTROL(S)

GENERATES ANY GENERATES ANY CASCADING CASCADING

IMPACTSIMPACTS

YESYES

NONO

Update Risk Assessment and implement New

Controls to Mitigate the Risk

of Incident Repetition

The BIG Qs.

Is AWHAT ARE THE

STEPSTO UPDATE THE

RISK ASSESSMENT?


Risk Management Answer> RISK VALIDATION

SYSTEMSYSTEM

• Governance;• Strategy;• Policies;

• Industry sector specific Statutory & Regulatory Requirement Strategy & Policies

Controls (mitigations) Incorporated In the Process Documents& Implemented

Incident

New controls

and /or

and /or

Existing controls

New Threats/New Vulnerabilities

and /or

Take away >>> R̀ISK ASSESSMENT, SOA AND INCIDENTS have to be Synchronized

PLAN

DO

CHECK

ACT

Risk Validation– Converting

VISION RA to FACTUAL RA

Residual risks

1st Step to Validate > RESIDUAL RISKS MIGHT HAVE CAUSED THE INCIDENT ?2nd Step to Validate (If 1st is Failure) > WEAK MITIGATIONS / WEAK IMPLEMENTAION MIGHT HAVE CAUSED THE INCIDENT ?3rd Step to Validate (If 1st & 2nd are Failure) > NEW THREAT / VULNERABILITY MIGHT HAVE CAUSED THE INCIDENT

KNOWLEDGE BASE

RCA

Root Cause Analysis

KEDB

Known Error Data Base

CMDB

Configuration

Management Data Base


Risk Management


COST IMPACT DUE TO

PERFECTION / NON-CONFORMANCE


Risk Management


COST IMPACT DUE TO

PERFECTION / NON-CONFORMANCE


Risk Management


Thanks for your valuable time !

Date post:	11-Apr-2017
Category:	Documents
Upload:	naresh-rao
View:	84 times
Download:	0 times