KEY PILLARS FOR EFFECTIVE RISK MANAGEMENT

Ramana Krothapalli

Living at risk is jumping off the cliff and building your wings on the way downRay Bradbury

AGENDA Information Security & Risk Management Current Information Security Scenario Key pillars of effective Risk Management Risk Management Standards & Frameworks

INFORMATION SECURITY & RISK MANAGEMENT Information Security

More focused on technology business Compliance driven Identify risks Define controls Monitor controls

Information Risk Management Areas to be secured Business value & business impact Compliance & strategy Structured approach Provides decision makers with information Does not make decisions for business

CURRENT INFORMATION SECURITY SCENARIO

KEY PILLARS OF EFFECTIVE RISK MANAGEMENT

KEY PILLARS OF EFFECTIVE RISK MANAGEMENT Culture

Contributes to the success of Risk Management Acceptable risk seeking behaviour Communicating appropriate norms, values & expectations

of ethical behaviour Leadership

Provides vision, goals and strategy for Risk Management Models for the desired behaviour

KEY PILLARS OF EFFECTIVE RISK MANAGEMENT Alignment

Ensures leadership reinforces cultural norms Systems support appropriate structures Risk Management is integrated with governance and strategy

making Structure

Standards, Frameworks Provides a formal framework for the necessary responsibilities Structures of reporting lines, roles, teams & committees

Systems Information Technology Knowledge Management Accounting and financial controls

*Drew, Kelley and, Kendrick (2006)

RISK MANAGEMENT STANDARDS & FRAMEWORKS NIST SP 800 Series

NIST SP 800-39 – Managing Information Security Risk, released in 2011 (Supersedes NIST SP800-30)

Provides guidance for an integrated, organization-wide program for managing information security risk to organizational operations

MULTITIERED RISK MANAGEMENT NIST SP 800-30 revised in 2012 (Guide

for conducting Risk Assessments)

ISO Standards ISO 27005: 2011 (Information security risk management)

Designed to assist the satisfactory implementation of information security based on a risk management approach

Applicable to all types of organizations Specialized standard that provides the best practices for managing the

risks related to information security

ISO 31000:2009 (Risk management — Principles and guidelines) Framework for Enterprise Risk Management Can be used for any type of risks including information security, business

continuity, market, currency, credit, operational, and others Does not provide specific methodology

RISK MANAGEMENT STANDARDS & FRAMEWORKS

COSO ERM Framework Defines essential enterprise risk management components Discusses key ERM principles and concepts Suggests a common ERM language Provides clear direction and guidance for enterprise risk management 4 objective categories, 8 components & entity units

COBIT (Risk IT) Risk IT complements and extends COBIT and Val IT to make a more

complete IT governance guidance resource It covers all IT-related risks not just information security Integrates the management of IT-related business risks into overall

enterprise risk management Links with enterprise-wide risk management concepts and approaches,

such as COSO ERM, ISO 31000 etc.

RISK MANAGEMENT STANDARDS & FRAMEWORKS

CONCLUSION Standards and frameworks tend to be conceptual Little guidance on practical implementation More similarities than differences among standards Majority of the standards are generic, applicable to all

industries & sectors Elements in each of the standards may be useful or adaptable

for specific organizations It is the ‘key pillars’ that matter for successful risk management

Q & A

Thank You