i & ii - introduction to value & risk mgt. & process summary
Post on 07-Aug-2018
217 Views
Preview:
TRANSCRIPT
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
1/43
Risk
Management
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
2/43
Definition of risk
Risk means chance of injury or loss due touncertain danger, peril or hazard
A particular decision or course of action is said tobe subject to risk when there is a range ofpossible outcomes….
….then, objectively known probabilities can beattached to these outcomes
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
3/43
Risk vs uncertainty
Risk is, thus, distinguished from uncertainty,where there is a plurality of outcomes whereobjective probabilities cannot be assigned
any situations, which in practice are called !risky" are, on a strict definition, really subject touncertainty not risk
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
4/43
Definition of Risk
anagement #R$ %nvolves anticipating and&or identifying potential
risks and taking steps to avoid them or tomitigate the resulting harm
'he aim is to minimise the sum of(
) retained losses
) insurance or other risk transfers
) loss control e*penses
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
5/43
Risk Management
Internal Factors External Factors
R e g u l a t
i o n
I n d u
s t r yC u l t u r e
C o r p o r a t e H i s t o r y M a n
a g e m e n
t ’ s
R i s k T o
l e r a n c e
O r g a n i z a
t i o n a l
M a t u r i t y
Structure
Risk Mgmt Strategies are determined by both internal & external factorsRisk Tolerance or Appetite: he le!el of risk that management is comfortable "ith
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
6/43
Risk Management #rocessEstablishScope &
$oundaries
%dentification
nalysis
E!aluation
!oid Reduce ransfer Retain
ccept Residual Risk
R i s k C o m m u n i c a t i o
n
& M o n i t o r i n g
R i s k s s e s s m e n t
R i s k
r e a t m e n t
'hat assets & risks exist(
'hat does this risk cost('hat priorities shall "e set(
'hat controls can "e use(
'hat to in!estigate('hat to consider(
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
7/43
Risk ppetite
)o you operate your computer "ith or "ithout anti!irussoft"are(
)o you ha!e antispy"are(
)o you open emails "ith for"arded attachments from friendsor follo" *uestionable "eb links( Ha!e you e!er gi!en your bank account information to a
foreign emailer to make +++(
What is your risk appetite?%f liberal, is it due to risk acceptance or ignorance(Companies too ha!e risk appetites, decided after e!aluating risk
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
8/43
Continuous Risk Mgmt #rocess
%dentify & ssess Risks
)e!elop Risk
Mgmt #lan
%mplement RiskMgmt #lan
#roacti!e
Monitoring
Risk ppetite
Risks change "ith time as business & en!ironment changesControls degrade o!er time and are sub-ect to failureCountermeasures may open ne" risks
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
9/43
A builder"s definition of R
Risk is an uncertain event, feature, activity orsituation that can have a positive or negativeeffect on an object
R is a formal process that identifies, assesses,plans and manages the risk
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
10/43
+hy builders have R
-A risk aware organisation, capable of identifying andmanaging uncertainty in order to ma*imise opportunity deliver ma*. value/
-…%ts primary aim is to help ma*imise business value bydoing the right projects, right the first time./
R 0uality -and the successful identification, reduction,communication and control of risk are key issues andperformance drivers…./
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
11/43
+hy builders have R
'he group -assesses and manages risk to ensure that(
) the public, our employees and the environment aresafe from the potential hazards in our operations1
) that new essential assets are created to thema*imum obtainable benefit of their intended usersand the community at large1
) the potential for damage to our clients and the2roup"s corporate reputation and&or financial loss toour stakeholders is minimised/
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
12/43
R in 3uilding
4very activity&project faces full risk spectrum
'ied to health safety, environment, regulations,
labour #supply&law$, transport etc %n broad terms, risk can be divided(
strategic
operating financial
information
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
13/43
5trategic risks
Environmental
6atural&man madedisasters
7olitical
8aws®ulations
%ndustry
9ompetition :inancial markets
Organisational
9orporate objectives strategies
8eadership
anagement
%nvestor&credit
relations ;uman resources
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
14/43
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
15/43
R and risk control
Mgt process
%dentify and analyse
e*posure 4valuate alterative
5elect most promisingtechni0ue
%mplement choice onitor process and
change as necessary
Control
Avoidance 7revention Reduction #stop losses
or reduce damage$ 5egregation of loss
e*posures 9ontractual risk
transfer
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
16/43
Security E!aluation:
Risk ssessmentFi!e Steps include:./ ssign 0alues to ssets:
'here are the Cro"n 1e"els(
2/ )etermine 3oss due to hreats & 0ulnerabilities Confidentiality, %ntegrity, !ailability
4/ Estimate 3ikelihood of Exploitation 'eekly, monthly, . year, .5 years(
6/ Compute Expected 3oss 3oss 7 )o"ntime 8 Reco!ery 8 3iability 8 Replacement
Risk !posure 7 #robability9f0ulnerability +3oss;/ reat Risk
Sur!ey & Select ? =risk exposure
after reduction> @ =cost of risk reduction>
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
17/43
Step .:
)etermine 0alue of ssetsIdenti$y % &etermine 'alue o$ Assets (Cro)n *e)els+: ssets include:
%ARelated: %nformation@data, hard"are, soft"are, ser!ices,
documents, personnel 9ther: $uildings, in!entory, cash, reputation, sales opportunities
'hat is the !alue of this asset to the company( Ho" much of our income can "e attribute to this asset( Ho" much "ould it cost to reco!er this( Ho" much liability "ould "e be sub-ect to if the asset
"ere compromised( Helpful "ebsites: """/attrition/org
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
18/43
)etermine Cost of ssets
Sales
#roduct
#roduct $
#roduct C
Risk: Replacement Cost7Cost of loss of integrity7Cost of loss of a!ailability7Cost of loss of confidentiality7
Risk: Replacement Cost7Cost of loss of integrity7Cost of loss of a!ailability7
Cost of loss of confidentiality7
Risk: Replacement Cost7
Cost of loss of integrity7Cost of loss of a!ailability7Cost of loss of confidentiality7
angible + %ntangible: High@Med@3o"
Costs
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
19/43
Step .:
)etermine 0alue of ssetsAsset ,ame
- 'alue&irect "oss.Replacement
- 'alueConse/uential
Financial "oss
Con$identiality0Integrity0 and
A#aila1ility ,otes
Laptop $1,000 Mailings=$130 x#Cust
Reputation
= $9,000
Conf., Avail.Brea!"otiationLa
%&uip'e
nt
$10,000 $() per
*a+ in
Availailit+
-e.g., *ue to
'orkbook
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
20/43
Step 2: )etermine 3oss
)ue to hreats,atural: Flood, fire, cyclones,
rain@hail@sno", plagues andearth*uakes
2nintentional: Fire, "ater, building
damage@collapse, loss of utilityser!ices, and e*uipment failure
Intentional: Fire, "ater, theft,!andalism
Intentional0 non3physical: Fraud,
espionage, hacking, identitytheft, malicious code, socialengineering, phishing, denial ofser!ice
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
21/43
hreat gent ypes
4ackers5Crackers
Challenge, rebellion Bnauthoriedaccess
Criminals Financial gain,)isclosure@ destructionof info/
Fraud, computercrimes
Terrorists )estruction@ re!enge@extortion
)9S, info "arfare
Industry6pies
Competiti!e ad!antage %nfo theft, econ/exploitation
Insiders 9pportunity, personalissues
Fraud@ theft,mal"are, abuse
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
22/43
Step 2: )etermine hreats
)ue to 0ulnerabilitiesSystem
0ulnerabilities
7eha#ioral.)isgruntled employee,
uncontrolled processes,poor net"ork design,improperly configured
e*uipment
Misinterpretation.#oorlyAdefined
procedures,employee error,%nsufficient staff,
%nade*uate mgmt,%nade*uate compliance
enforcement
Coding8ro1lems.
Security ignorance,poorlyAdefinedre*uirements,
defecti!e soft"are,unprotected
communication
8hysical'ulnera1ilities.
Fire, flood,negligence, theft,kicked terminals,no redundancy
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
23/43
Step 4:
Estimate 3ikelihood of Exploitation$est sources: 8ast e!perience
mass media Specialists and expert ad!ice Economic, engineering, or other models Market research & analysis
Experiments & prototypes
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
24/43
Step 6: Compute Expected 3oss
Risk nalysis Strategies9ualitati#e: #riorities risks so that highest risks
can be addressed first
$ased on -udgment, intuition, and experience May factor in reputation, good"ill, nontangibles
9uantitati#e: Measures approximate cost of
impact in financial terms6emi/uantitati#e: Combination of Dualitati!e &Duantitati!e techni*ues
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
25/43
Step 6: Compute 3oss Bsing
9ualitati#e nalysisDualitati!e nalysis is used:
s a preliminary look at risk
'ith nonAtangibles, such as reputation,image A market share, share !alue
'hen there is insufficient information toperform a more *uantified analysis
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
26/43
Step 6: Compute 3oss Bsing
6emi39uantitati#e nalysisImpact
:; Insigni$icant:
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
27/43
SemiDuantitati!e %mpact Matrix
Rare=.> Bnlikely=2> Moderate=4> 3ikely =6> Fre*uent=;>
Catastrophic =;>
Material=6>
Ma-or =4>
Minor =2>
%nsignificant=.>
6 ' R
4 I C 4 M
& I 2 M
" O W
"ikelihood
I m p a c t
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
28/43
Step 6: Compute 3oss Bsing
9uantitati#e nalysis6ingle "oss !pectancy (6"+: he cost to the organiation if one
threat occurs once Eg/ Stolen laptop7
Replacement cost 8
Cost of installation of special soft"are and data ssumes no liability
S3E 7 Asset 'alue (A'+ x !posure Factor (F+ 'ith Stolen 3aptop EF ./5
Annualized Rate o$ Occurrence (ARO+. #robability or fre*uencyof the threat occurring in one year
%f a fire occurs once e!ery 2; years, R97.@2;Annual "oss !pectancy (A"+. he annual expected financial
loss to an asset, resulting from a specific threat 3E 7 S3E x R9
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
29/43
Duantitati!e
RiskAsset Threat 6ingle "oss
!pectancy
(6"+
AnnualizedRate o$
Occurrence(ARO+
Annual "oss!pectancy
(A"+
Buil*ing
/ire $1M .0
-(0 +ears
$0
Laptop
2tolen $1 $9 0.(
- +ears
$1
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
30/43
Step ;: reat Risk
Risk Acceptance: Handle attack "hen necessary E/g/: Comet hits %gnore risk if risk exposure is negligible
Risk A#oidance: Stop doing risky beha!ior E/g/: )o not use Social Security
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
31/43
Extra Step:
Step G: Risk MonitoringStolen 3aptop %n in!estigation +2k, legal issues
H%# %ncidentResponse
#rocedure being defined ?incident response
+255
Cost o!erruns %nternal audit in!estigation +655
H%#: #hysicalsecurity
raining occurred +255
Report to Mgmt status of security Metrics sho"ing current performance 9utstanding issues
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
32/43
raining %mportance of follo"ing policies & procedures
Clean desk policy
%ncident or emergency response
uthentication & access control
#ri!acy and confidentiality
Recogniing and reporting security incidents
Recogniing and dealing "ith social engineering
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
33/43
Risk Management
Risk Management is aligned "ith businessstrategy & direction
Risk mgmt must be a -oint effort bet"eenall key business units & %S
$usinessA)ri!en =not echnologyA)ri!en>
Steering Committee:I Sets risk management prioritiesI )efine Risk management ob-ecti!es to
achie!e business strategy
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
34/43
Duestion
Risk ssessment includes:
./ he steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring2/ ns"ers the *uestion: 'hat risks are "e prone
to, and "hat is the financial costs of these risks(
4/ ssesses controls after implementation
6/ he identification, financial analysis, andprioritiation of risks, and e!aluation of controls
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
35/43
Duestion
Risk Management includes:
./ he steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring2/ ns"ers the *uestion: 'hat risks are "e prone
to, and "hat is the financial costs of these risks(
4/ ssesses controls after implementation
6/ he identification, financial analysis, andprioritiation of risks, and e!aluation of controls
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
36/43
Duestion
he F%RS step in Security Risk ssessment is:
./ )etermine threats and !ulnerabilities
2/ )etermine !alues of key assets
4/ Estimate likelihood of exploitation
6/ nalye existing controls
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
37/43
Duestion
Single 3oss Expectancy refers to:
./ he probability that an attack "ill occur in one
year 2/ he duration of time "here a loss is expected
to occur =e/g/, one month, one year, onedecade>
4/ he cost of losing an asset once
6/ he a!erage cost of loss of this asset per year
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
38/43
Duestion
he role=s> responsible for deciding "hetherrisks should be accepted, transferred, or
mitigated is:./ he Chief %nformation 9fficer
2/ he Chief Risk 9fficer
4/ he Chief %nformation Security 9fficer
6/ Enterprise go!ernance and senior businessmanagement
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
39/43
Duestion
'hich of these risks is best measured using a*ualitati!e process(
./ emporary po"er outage in an office building2/ 3oss of consumer confidence due to a
malfunctioning "ebsite
4/ heft of an employeeJs laptop "hile tra!eling6/ )isruption of supply deli!eries due to flooding
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
40/43
Duestion
he risk that is assumed afterimplementing controls is kno"n as:
./ ccepted Risk2/ nnualied 3oss Expectancy
4/ Duantitati!e risk
6/ Residual risk
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
41/43
Duestion
he primary purpose of risk managementis to:
./ Eliminate all risk2/ Find the most costAeffecti!e controls
4/ Reduce risk to an acceptable le!el
6/ )etermine budget for residual risk
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
42/43
Duestion
)ue )iligence ensures that
./ n organiation has exercised the best possible securitypractices according to best practices
2/ n organiation has exercised acceptably reasonablesecurity practices addressing all ma-or security areas
4/ n organiation has implemented risk management andestablished the necessary controls
6/ n organiation has allocated a Chief %nformationSecurity 9fficer "ho is responsible for securing theorganiationJs information assets
-
8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary
43/43
Duestion
3E is:./ he a!erage cost of loss of this asset, for a
single incident2/ n estimate using *uantitati!e risk
management of the fre*uency of asset loss dueto a threat
4/ n estimate using *ualitati!e risk management
of the priority of the !ulnerability6/ 3E 7 S3E x R9
top related