it-risk-management best practice
DESCRIPTION
Referat von Umberto Annino im Rahmen des Hacking Day 2014.TRANSCRIPT
![Page 1: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/1.jpg)
IT Risk Management
Digicomp Hacking Day, 11.06.2014 Umberto Annino
![Page 2: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/2.jpg)
• Wer spricht? Umberto Annino WirtschaCsinformaEker, InformaEon Security
• Was ist ein Risiko? ! Sicherheit ist das Komplementärereignis zum Risiko ! Risiko ist Schaden mit Potenzial
2
![Page 3: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/3.jpg)
Risiko
3
Gefahr Bedrohung
Schwach-‐stelle Asset
Risiko
![Page 4: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/4.jpg)
Realitätsabgleich
Compliance? Risk Management? OperaEonal Risk, Business ConEnuity? IT, InformaEon Security – Cyber Security? Red Team, Threat Modeling, APT and openSSL? Big Data???
Security ™ vs. Compliance ™
4
![Page 5: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/5.jpg)
IT Risiko in der Risiko-‐Hierarchie
5
![Page 6: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/6.jpg)
COSO Enterprise Risk Management Framework
6
![Page 7: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/7.jpg)
ISO 31000 Risk Mgmt (2009) Guidelines and Principles and Framework
7
![Page 8: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/8.jpg)
ISO 31000 Framework
8
![Page 9: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/9.jpg)
ISO 31000 Processes
9
![Page 10: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/10.jpg)
ISO 31000 -‐ Processes
10
Design of framework for managing risk
Understanding of the organisaEon and its context
Establishing risk management policy
Accountability
IntegraEon into organisaEonal processes
Resources
Establishing internal communicaEon and reporEng mechanisms
Establishing external communicaEon and reporEng mechanisms
ImplemenEng risk management
ImplemenEng the framework for managing risk
ImplemenEng the risk management process
Monitoring and review of the framework
ConEnual improvement of the framework
! Mandate and commitment
![Page 11: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/11.jpg)
ISO 31000 -‐ Processes
11
Risk Management Process
CommunicaEon and consultaEon
Establishing the external context
Establishing the internal context
Establishing the context of the risk management process
Defining risk criteria
Risk assessment Risk idenEficaEon
Risk analysis
Risk evaluaEon
Risk treatment
Monitoring and review
Recording the risk management process
![Page 12: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/12.jpg)
ISO 31000 Acributes of enhanced risk management
• Key outcomes – The organisaEon has a current, correct and comprehensive understanding of its risks
– The organisaEon‘s risks are within its risk criteria • Acributes – ConEnual improvement – Full accountability for risks – ApplicaEon of risk management in all decision making – ConEnual communicaEons – Full integraEon in the organisaEon‘s governance structure
12
![Page 13: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/13.jpg)
ISO 27005 InformaEon Security Risk Management
13
![Page 14: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/14.jpg)
ISO 27005 Context Establishment
14
Basic Criteria
Risk management approach
Risk evaluaEon criteria
Impact criteria
Risk acceptance criteria
! Scope and Boundaries ! OrganisaEon for informaEon security risk management
![Page 15: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/15.jpg)
ISO 27005 InformaEon security risk assessment
15
Risk idenEficaEon
IdenEficaEon of assets
IdenEficaEon of threats
IdenEficaEon of exisEng controls
IdenEficaEon of vulnerabiliEes
IdenEficaEon of consequences
Risk analysis Risk analysis methodologies
Assessment of consequences
Assessment of incident likelihood
Level of risk determinaEon
![Page 16: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/16.jpg)
ITGI RiskIT Framework PosiEonierung
16
![Page 17: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/17.jpg)
IT Risk (high level) categories
17
![Page 18: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/18.jpg)
RiskIT Framework
18
![Page 19: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/19.jpg)
Risk maps...
• Risk appeEte
• Risk tolerance
• Risk culture
19
![Page 20: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/20.jpg)
Risk culture
20
![Page 21: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/21.jpg)
IT risk scenario development
21
![Page 22: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/22.jpg)
Risk scenario components
22
![Page 23: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/23.jpg)
Aber: scenario based... ! keeping it real!
23
![Page 24: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/24.jpg)
IT Risk Response opEons and prioriEsaEon
24
![Page 25: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/25.jpg)
Verwalten von IT Risiken
Risiko management
Risiko analyse
Risiko idenEfikaEon
Konsolidierung
Link to business
Risiko bewertung
QuanEtaEv QualiEaEv
StaEsEsche Basis
Risiko lenkung
Risiko bearbeitung
Admin Disziplin/Aufwand
Kosten ROI
Risiko tracking
Nachvollzieh-‐ barkeit
Konstanz (Zahlen) 25
![Page 26: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/26.jpg)
QuanEfizieren von IT Risiken
26
Big Data? Loss DB? Komplexität von InformaEonssystemen (und SoCware)?
![Page 27: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/27.jpg)
QuanEfizieren von IT Risiken • In der Praxis eher qualitaEv stac quanEtaEv – Fehlende staEsEsche Basis – Prinzipiell komplexe Systeme – Wenig akuter Bedarf zur QuanEfizierung ! über Verknüpfung mit Business Process
• Konsolidierung der Werte für Management ReporEng als Grundlage für QuanEfikaEon
• In der Praxis eher „erste Schrice“ stac best pracEse
• ISO 27005, ITGI RiskIT Framework und PracEcEoner Guide bieten brauchbare Grundlagen (Framework)
27
![Page 28: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/28.jpg)
Risk Treatment
28
Risk treatment
Avoid Eliminate
Reduce Minimize
Transfer Externalize
Accept Residual Risk
Controls Measures
Avoid / Verhindern
Detect / Entdecken
Minimize / Eindämmen
![Page 29: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/29.jpg)
Risk Treatment – ISO 27005
29
![Page 30: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/30.jpg)
Konsolidieren von IT Risiken Disjointed risks
30
![Page 31: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/31.jpg)
Konsolidieren von IT Risiken shared risks
31
![Page 32: IT-Risk-Management Best Practice](https://reader034.vdocuments.net/reader034/viewer/2022052618/554bd5b0b4c905706a8b50dc/html5/thumbnails/32.jpg)
32