46.

Responsibilities
This is the "who" component of the security system.
-day to day accountability, assigned owners (position not people)
-detailed processes
-detailed actions
-designed to ensure ISMS is on-going
47. Responsibilities Example
Requirement
1. context of the organisation
1.1 objectives
1.1 XXX shall confirm the objectives of this ISMS and identify and issues that m
ight affect its effectiveness at least annually
1.2 3rd parties
1.2(a) XXX shall confirm the 3rd parties subject to this ISMS including applicab
le laws, regulations, contracts ets at least annually
1.2(b) XXX shall confirm the information security-relevant requirements and obli
gations required of their 3rd parties at least annually
1.3 Scope
1.3 XXX shall confirm the scope of the ISMS at least annually
1.4 Improvement
1.4 XXX shall maintain and continually improve the ISMS according to the ISO-270
01
Action Requirement(berdasarkan point di atas)
1.1 XXX must implement a process to review and confirm the objectives of the ISM
S annually
1.2(a) XXX must implement a process to review and confirm the 3rd parties subjec
t to the ISMS and applicable governance at least annually
1.2(b) XXX must implement a process to review and confirm the security requireme
nts applicable to their 3rd parties at least annually
1.3 XXX must implement a processes to confirm the scope of the ISMS annually wit
h consideration to
a. the external and internal issues referred to in 4.1
b. the requirements referred to in 4.2
c. interfaces and dependencies between activities performed by the organisation
and those that are performed by other organisation
1.4 XXX must establish a procedures to maintain and continually improve an ISMS
according to the standard
48. Step 3 | Risk Treatment Plan
- the risk treatment plan is your method (the how)
- represents the execution plan, directly derived from your risk strategy
- list on one board the risks, their occurence probability , their potential imp
acts and their criticity
- risk calculation formula based on information asset value and risk tolerance &
resilience
- keep in mind: risk criticity = Threat x probability x impact
- check it always answer well:
+ what are we protecting?
+ why are you protecting
49. Step 4 | Risk management
5 fundamental steps:
1. identify your assets
2. identify the potential vulnerabilities and threats to these assets
3. for each threat, quantify the probability of occurence
4. calculate the impact of the incident on your business
5. implement cost-effective controls

50. Foster a culture of ethics and excellence with workforce governance

- ensure employees understand regulations and policies in most time and cost-eff
ective manner
- prove employee acknowledment of accountability
- trust single source of authoritative information for policy and procedure refe
rence
51. A holistic GRC framework for
SOX requires identification of risks and the management of controls thru assessm
ents
RCSA operational risk requires the identification of risks and the management of
controls thru self assessments
MiFID and ReNMS require client suitability and transaction surveillance
AML requires KYC and transaction surveillance
Fraud Detection requires both transaction monitoring and risk & control self ass
essments
A common process understanding for compliance and operational risk would be a fi
rst step to GRC convergence
52. Gambar
53. Influences to Strateegy
- there are a number of forces which influence an organisation's strategy
- these forces define the business & shape their plans
- some forces include:
+ corporate culture
+ the competitive marketplace
+ government / industry regulations
+ individual executive personalities / goals
54. Policies - defined
- ISACA define a policy as:
"A document that records a high-level principle or course of action which has be
en decided upon. a policu's intended purpose is to influence and guide both pres
ent and future decision making to be in line with the philosophy, objectives and
strategic plans established by the enterprise's management teams"
55. policy creation
- someone has to actually write the policies though
- the draft author should be some who understand the issue being addressed & rel
evant business goals
- do not be affraid to start with policy templates & build off of other people's
work
- generally the drafting process is done by a team, delegated by the IS Steering
Committee
- Auditors certainly can engage in the drafting process - it does no violate the
spirit of auditor independence
56. Sample information security policies
+ some sample security policies to consider are:
- acceptable system use policy
- acceptable encryption policy
- remote network access policy
- data access authorization policy
- user authentication policy
- network monitoring policy
- incident handling policy
- business continuity / disaster recover policy
- physical security policy

57. Formal risk management models

formal risk management models are meant to be the next step after an organisatio
n follows the steps from the previous section
if an organization follows those steps, but wants more from risk management, the
n a formal model makes sense
organization need to know why they are doing risk management & what they hope to
achieve from it
what are the business objectives you hope to achieve?
58. Formal vs Ad hoc Models
- Ad hoc models - how organization will describe nonexistent, informal, or half
hearted risk programs
- formal models - defined, thoughtful methods of performing risk management
- formal models enable business to create a plan for managing risk in light of b
usiness strategies
- if an organization is not using a formal model, they likely are not doing risk
management
59. choosing the right risk model
- one of the more important risk management decisions an organization will make
is which model to follows
+
+
+
+
+

the model an organization chooses:

hast to fit the culture of the organization
has to be supported by executive management
has to be consistent across all business units
has to be used comprehensively
has to be useable and produce valuable outputs

60. Governance, risk & compliance

Governance, risk & compliance
Processes