Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
MANAGEMENT
ISACA Atlanta Chapter, Geek Week
August 20, 2013
Scott Ritchie, Manager, HA&W
Information Assurance Services
Scott Ritchie
CISSP, CISA, PCI QSA, ISO 27001 Auditor
• Manager, HA&W Information Assurance Services
• Previous
– AT&T, Internal Audit (Technology audits)
– Scientific Research Corp., Information Systems
Security Officer
• Academics
– M.B.A.
– M.S. Information Assurance
Scott.Ritchie@hawcpa.com
(770) 353-2761
http://www.linkedin.com/pub/scott-ritchie/2/308/260
www.aicpa.org/fvs
HA&W Information Assurance
Services
Key Verticals: SME Domains: Key Services:
Fraud & Security • Risk and gap assessments
Analytics Privacy: • Attest/Compliance Reporting:
Healthcare IT o HIPAA / HITECH • SSAE 16 & SOC 2 Reporting
Tech / Cloud o Safe Harbor • PCI Compliance
Service o State Regulations
Providers • ISO 27001 Certification
Confidentiality
FinTech / • FedRAMP Certification
Processing Integrity
Payments • IT Internal Audit
Data Management
• IT Governance
Availability
• Due Diligence
Financial Reporting
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Focus of Today’s Presentation
http://www.linkedin.com/pub/scott-ritchie/2/308/260
www.aicpa.org/fvs
Security Environment
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Challenges
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Risk Assessment Illustrated
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Risk Management (RM) Hierarchy
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Risk Assessment Frameworks
http://www.linkedin.com/pub/scott-ritchie/2/308/260
ISO 27005: IT Risk Management
Context Definition
Risk Identification
Risk Analysis
Communication
and consultation Monitoring and
review
Risk Evaluation
Risk Treatment
Risk Acceptance
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Understand the Organization
Governance
Contractual Organizational
relationships structure
Policies and
Standards
objectives
Organization
Relationships
Information
with
flows
stakeholders
Management Commitment
Methods for
Rationale for Accountabilities resolving
managing risk for managing risk conflicting
interests
Risk management
Management
Commit resources performance
Review
metrics
Risk Tolerance
Views of Level and Combinations of
stakeholders Acceptance multiple risks
Criteria
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Objectives of Risk Assessment
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Information Asset Inventory
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Example Asset Register
Exposure
Asset Name/ Asset DR
Description Level
Description Class. Priority
(H,M,L)
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Calculating Risk (perception)
Source: CSOOnline.com
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Calculating Risk
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Elements of Risk
Risk
Impact Probability
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Risk Identification
System
Threat
Catalogs Docs
Surveys and
Workshops
Interviews
Previous
Events
Assess Threats
• Unintentional Exposures
– Characteristics
– Work Environment
– Time constraints
Likelihood Considerations
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Vulnerabilities
• Organization
• Processes and procedures
• Management routines
• Personnel
• Physical environment
• Information system configuration
• Hardware, software or communications equipment
• Dependence on external parties
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Impact criteria
• Asset classification
• Breaches of information security
• Impaired operations
• Loss of business and financial value
• Disruption of plans and deadlines
• Damage to reputation
• Breaches of requirements
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Risk evaluation criteria
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Example Risk Register
Availability (L,M,H)
Attack Initiation
Total Likelihood
Confidentiality
Overall Impact
Likelihood of
Control
Predisposing Effective-
Threat Conditions Vulnerable Entities ness
Lack of communication of
Business objectives are
Business and IT needs Business
not aligned with IT H H H H H H H H M
leads to unintended Operations
strategies.
exposure of data.
Accidental or intentional
Sensitive documents are
duplication and retention
retained beyond useful All data sources. H M M H H H H H L
of data leads to
life
unnecessary exposure.
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Risk Treatment
Transfer
/Share
Avoid
Mitigate
Accept
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Risk acceptance criteria
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Report
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Re-Assess Risks
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Questions
http://www.linkedin.com/pub/scott-ritchie/2/308/260
www.aicpa.org/fvs
THANK YOU!
www.aicpa.org/fvs