Sei sulla pagina 1di 50

IT Risk Management

Tudor Damian

IT Solutions Specialist CEH, Hyper-V MVP tudy.tel

Damian IT Solutions Specialist CEH, Hyper-V MVP tudy.tel Community Conference for IT Professionals @ I T

Community Conference for IT Professionals

CEH, Hyper-V MVP tudy.tel Community Conference for IT Professionals @ I T C A M P
CEH, Hyper-V MVP tudy.tel Community Conference for IT Professionals @ I T C A M P

@ITCAMPRO

#ITCAMP15

Many thanks to our sponsors & partners!

PLATINUM

Many thanks to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals
Many thanks to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals
Many thanks to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals
Many thanks to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals
Many thanks to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals
Many thanks to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals
Many thanks to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals
Many thanks to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals
Many thanks to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals
Many thanks to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals
Many thanks to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals
Many thanks to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals

GOLD

GOLD
GOLD
GOLD
GOLD

SILVER

to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals @ I
to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals @ I
to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals @ I
to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals @ I
to our sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals @ I

PARTNERS

sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals @ I T C
sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals @ I T C
sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals @ I T C
sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals @ I T C
sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals @ I T C
sponsors & partners! PLATINUM GOLD SILVER PARTNERS Community Conference for IT Professionals @ I T C

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Agenda

IT risk overview

COBIT & Risk IT framework

Risk Governance

Risk Appetite and Risk Tolerance

Risk Evaluation

Risk Response

IT risk management as a continuous process

Sources:

IT risk management as a continuous process • Sources: Community Conference for IT Professionals @ I
IT risk management as a continuous process • Sources: Community Conference for IT Professionals @ I
IT risk management as a continuous process • Sources: Community Conference for IT Professionals @ I
IT risk management as a continuous process • Sources: Community Conference for IT Professionals @ I
IT risk management as a continuous process • Sources: Community Conference for IT Professionals @ I

Community Conference for IT Professionals

process • Sources: Community Conference for IT Professionals @ I T C A M P R

@ITCAMPRO

process • Sources: Community Conference for IT Professionals @ I T C A M P R
process • Sources: Community Conference for IT Professionals @ I T C A M P R

#ITCAMP15

Business risk related to the use of IT

IT RISK OVERVIEW

Business risk related to the use of IT IT RISK OVERVIEW Community Conference for IT Professionals

Community Conference for IT Professionals

Image source: coolrisk.com / Artist: Michael Mittag

IT Professionals Image source: coolrisk.com / Artist: Michael Mittag @ I T C A M P

@ITCAMPRO

#ITCAMP15

Information as a key resource

We create information

We use and store information

We destroy information

Technology creates opportunities

Business, education, government, sales of real and

electronic goods, e-health, etc.

IT plays an essential role in these activities

Part of its duty is to protect these information assets

– Part of its duty is to protect these information assets Community Conference for IT Professionals

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

IT risk is business risk

Email passwords may be disclosed

Facebook accounts may be used by someone else

Credit card information may be disclosed

Customer information may be stolen

IT service delivery to customers may be poor

IT systems may be obsolete

IT projects may be late or fail

IT systems do not provide any business benefit

Risk of non-compliance with the regulator

Own people may harm the systems

with the regulator • Own people may harm the systems Community Conference for IT Professionals @

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Opportunity vs. Risk

Opportunity and Risk - two sides of the same coin

Those who manage risk, succeed Those who do not, fail

Risk is inherent to every enterprise You don’t really have a choice: every decision taken, every strategy chosen, carries a certain risk

taken, every strategy chosen, carries a certain risk Community Conference for IT Professionals @ I T
taken, every strategy chosen, carries a certain risk Community Conference for IT Professionals @ I T

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

The impact of IT risk

No organization is unaffected

Businesses are disrupted

Privacy is violated

Organizations suffer direct financial loss

Reputation is damaged

suffer direct financial loss • Reputation is damaged Community Conference for IT Professionals @ I T

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Risk vs. Investment an easy decision (?)

High Risk Low Cost
High Risk
Low Cost
Investment – an easy decision (?) High Risk Low Cost Community Conference for IT Professionals Low

Community Conference for IT Professionals

Low Risk High Cost
Low Risk
High Cost

@ITCAMPRO

#ITCAMP15

Some statistics

87% of small business and 93% of larger organizations experienced a security breach in the last year alone

85% of breaches took weeks to discover

96% of breaches were not highly difficult

97% of breaches were avoidable through simple or

intermediate controls

57% of EU incidents were caused by administrative error,

missing hardware, exposed online, or stolen by insiders

Sources: Center for Media, Data and Society (CMDS) / Verizon / UK Government, Department for Business, Innovation and Skills (BIS)

Department for Business, Innovation and Skills (BIS) Community Conference for IT Professionals @ I T C

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Timeline of discovery for cyber attacks (2013)

Years, 5%

Hours, 9%

Days, 8% Weeks, 16% Months, 62%
Days, 8%
Weeks, 16%
Months, 62%
(2013) Years, 5% Hours, 9% Days, 8% Weeks, 16% Months, 62% Hours Days Weeks Months Years
(2013) Years, 5% Hours, 9% Days, 8% Weeks, 16% Months, 62% Hours Days Weeks Months Years

Hours

Years, 5% Hours, 9% Days, 8% Weeks, 16% Months, 62% Hours Days Weeks Months Years Community

Days

5% Hours, 9% Days, 8% Weeks, 16% Months, 62% Hours Days Weeks Months Years Community Conference

Weeks

Hours, 9% Days, 8% Weeks, 16% Months, 62% Hours Days Weeks Months Years Community Conference for

Months

9% Days, 8% Weeks, 16% Months, 62% Hours Days Weeks Months Years Community Conference for IT

Years

Community Conference for IT Professionals

@ITCAMPRO

Source: Verizon

#ITCAMP15

Cyber crime attacks experienced by US companies (June 2014)

34% 37% 41% 44% 46% 61% 76% 97% 100%
34%
37%
41%
44%
46%
61%
76%
97%
100%
DENIAL OF SERVICE
DENIAL OF SERVICE
STOLEN SERVICES
STOLEN SERVICES
MALICIOUS INSIDERS
MALICIOUS INSIDERS
PHISHING AND SOCIAL ENGINEERING
PHISHING AND SOCIAL ENGINEERING
MALICIOUS CODE
MALICIOUS CODE
WEB-BASED ATTACKS
WEB-BASED ATTACKS

BOTNETSAND SOCIAL ENGINEERING MALICIOUS CODE WEB-BASED ATTACKS MALWARE VIRUSES, WORMS, TROJANS Community Conference for IT

MALWARESOCIAL ENGINEERING MALICIOUS CODE WEB-BASED ATTACKS BOTNETS VIRUSES, WORMS, TROJANS Community Conference for IT

VIRUSES, WORMS, TROJANS
VIRUSES, WORMS, TROJANS
WEB-BASED ATTACKS BOTNETS MALWARE VIRUSES, WORMS, TROJANS Community Conference for IT Professionals Sources: Ponemon

Community Conference for IT Professionals

Sources: Ponemon Institute; Hewlett-Packard (HP Enterprise Security)

@ITCAMPRO

#ITCAMP15

Some more statistics

Some more statistics Sources: Ponemon Institute 2011 Cost of Data Breach Study: United States Verizon 2012

Sources:

Some more statistics Sources: Ponemon Institute 2011 Cost of Data Breach Study: United States Verizon 2012

Ponemon Institute 2011 Cost of Data Breach Study: United States Verizon 2012 Data Breach Investigations Report Reuters, http://reut.rs/zzrcec Symantec Internal Threat Report 17 WIRED, http://www.wired.com/threatlevel/2012/05/flame/all/1

European Commission-Justice, Data Protection Ponemon Institute Second Annual Benchmark Study on Patient Privacy and Data Security ISACA 2011 Top Business/Technology Issues Survey Symantec 2012 SMB Disaster Preparedness Survey

Community Conference for IT Professionals

Ponemon Institute True Cost of Compliance Report Thomson Reuters State of Regulatory Reform 2012

eWeek, http://www.eweek.com/c/a/IT-Infrastructure/Unplanned-IT-

Downtime-

Can-Cost-5K-Per-Minute-Report-549007/

@ITCAMPRO

#ITCAMP15

Even more statistics

Even more statistics Sources: Ponemon Institute 2011 Cost of Data Breach Study: United States Verizon 2012

Sources:

Even more statistics Sources: Ponemon Institute 2011 Cost of Data Breach Study: United States Verizon 2012

Ponemon Institute 2011 Cost of Data Breach Study: United States Verizon 2012 Data Breach Investigations Report Reuters, http://reut.rs/zzrcec Symantec Internal Threat Report 17 WIRED, http://www.wired.com/threatlevel/2012/05/flame/all/1

European Commission-Justice, Data Protection Ponemon Institute Second Annual Benchmark Study on Patient Privacy and Data Security ISACA 2011 Top Business/Technology Issues Survey Symantec 2012 SMB Disaster Preparedness Survey

Community Conference for IT Professionals

Ponemon Institute True Cost of Compliance Report Thomson Reuters State of Regulatory Reform 2012

eWeek, http://www.eweek.com/c/a/IT-Infrastructure/Unplanned-IT-

Downtime-

Can-Cost-5K-Per-Minute-Report-549007/

@ITCAMPRO

#ITCAMP15

Statistics overload

Statistics overload Community Conference for IT Professionals @ I T C A M P R O
Statistics overload Community Conference for IT Professionals @ I T C A M P R O

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

How is IT Risk ideally handled?

How is IT Risk ideally handled? Community Conference for IT Professionals @ I T C A
How is IT Risk ideally handled? Community Conference for IT Professionals @ I T C A

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

www.isaca.org/cobit

Image source: coolrisk.com / Artist: Michael Mittag

Image source: coolrisk.com / Artist: Michael Mittag COBIT® AND RISK IT FRAMEWORKS Community Conference for IT

COBIT® AND RISK IT FRAMEWORKS

/ Artist: Michael Mittag COBIT® AND RISK IT FRAMEWORKS Community Conference for IT Professionals @ I

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Why use best practices / frameworks?

Better accountability and responsibility (ownership)

You get out of the blame game

Better management

Better benefits from IT investments

Better compliance

Better monitoring

Easily compare yourself with others

Everybody’s doing it anyway

ITIL, ISO 27001/2, COSO ERM, PRINCE2, PMBOK, Six Sigma, TOGAF, etc.

27001/2, COSO ERM, PRINCE2, PMBOK, Six Sigma, TOGAF, etc. Community Conference for IT Professionals @ I

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

IT risk in the enterprise risk hierarchy

IT risk in the enterprise risk hierarchy Community Conference for IT Professionals @ I T C
IT risk in the enterprise risk hierarchy Community Conference for IT Professionals @ I T C

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Overview COBIT®, Risk IT and Val IT

Overview – COBIT®, Risk IT and Val IT Community Conference for IT Professionals @ I T
Overview – COBIT®, Risk IT and Val IT Community Conference for IT Professionals @ I T

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

COBIT®

A comprehensive IT governance and management framework

Addresses every aspect of IT

Ensures clear ownership and responsibilities

A common language for all

Improves IT efficiency and effectiveness

Better management of IT investments

Ensures compliance

A complementary copy is available:

A complementary copy is available: – www.isaca.org/cobit Community Conference for IT Professionals @ I T C

Community Conference for IT Professionals

– www.isaca.org/cobit Community Conference for IT Professionals @ I T C A M P R O

@ITCAMPRO

#ITCAMP15

COBIT® coverage

• Strategic IT Plan • Manage IT Investment • Manage IT Human Resources •Acquire &
• Strategic IT Plan
• Manage IT Investment
• Manage IT Human
Resources
•Acquire & Maintain
Application Software
•Acquire and Maintain
Technology Infrastructure
•Manage Changes
• Manage IT Risks
• Manage Projects
PLAN &
ACQUIRE &
ORGANIZE
IMPLEMENT
MONITOR& EVALUATE DELIVERY & SUPPORT •Monitor and Evaluate IT Performance •Monitor and Evaluate
MONITOR&
EVALUATE
DELIVERY &
SUPPORT
•Monitor and Evaluate IT
Performance
•Monitor and Evaluate
Internal Control
•Ensure Compliance
•Provide IT Governance
•Manage 3 rd- party Services
•Ensure Continuous Service
•Ensure Systems Security
•Manage Incidents
•Manage Data & Operations
•Manage Incidents •Manage Data & Operations Community Conference for IT Professionals @ I T C A

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Risk IT

Framework for effective management of IT risk

Complements COBIT®

COBIT® provides a set of controls to mitigate IT risk

Risk IT provides a framework for enterprises to identify, govern and manage IT risk

Enterprises who have adopted COBIT® can use Risk IT to enhance risk

management

Integrates the management of IT risk into the overall enterprise risk management (ERM) of the organization

Helps management make well-informed decisions about the extent of the

risk, the risk appetite and the risk tolerance of the enterprise

Helps management understand how to respond to risk

Available for ISACA members:

Available for ISACA members: – http://isaca.org/RiskIT Community Conference for IT Professionals @ I T C A

Community Conference for IT Professionals

@ITCAMPRO

http://isaca.org/RiskIT Community Conference for IT Professionals @ I T C A M P R O #

#ITCAMP15

Risk IT principles

Always connects to business objectives

Aligns the management of IT-related business risk with overall enterprise risk management (ERM) - if applicable

Balances the costs and benefits of managing IT risk

Promotes fair and open communication of IT risk

Establishes the right tone from the top while defining and

enforcing personal accountability for operating within

acceptable and well-defined tolerance levels

Is a continuous process and part of daily activities

• Is a continuous process and part of daily activities Community Conference for IT Professionals @

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Managing and understanding IT risk

To prioritize and manage IT risk, management needs a

clear understanding of the IT function and IT risk

Key stakeholders often do not have a full understanding

IT risk is not just a technical issue

IT experts help to understand and manage aspects of IT risk Business management is still the most important stakeholder

Business managers determine what IT needs to do to support their business

They set the targets for IT

They are accountable for managing the associated risks

They are accountable for managing the associated risks Community Conference for IT Professionals @ I T

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Risk IT process model

1.

Define a risk universe and scoping risk management

2.

Risk appetite and risk tolerance

3.

Risk awareness, communication and reporting: includes key risk indicators, risk profiles, risk aggregation and risk culture

4.

Express and describe risk: guidance on business context,

frequency, impact, COBIT business goals, risk maps, risk registers

5.

Risk scenarios: includes capability risk factors and environmental risk factors

6.

Risk response and prioritization

7.

A risk analysis workflow: “swim lane” flow chart, including role context

8.

IT risk mitigation using COBIT and Val IT

8. IT risk mitigation using COBIT and Val IT Community Conference for IT Professionals @ I

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Risk IT publications

Risk IT Framework

A set of governance practices for risk management

An end-to-end process framework for successful IT risk management

A generic list of common, potentially adverse, IT-related risk scenarios

Tools and techniques to understand concrete risks to business operations

Risk IT Practitioner Guide

Support document for the Risk IT framework

Provides examples of possible techniques to address IT-related risk issues

Building scenarios, based on a set of generic IT risk scenarios

Building risk maps, techniques to describe scenario impact and frequency

Building impact criteria with business relevance

Defining KRIs (Key Risk Indicators)

relevance – Defining KRIs (Key Risk Indicators) Community Conference for IT Professionals @ I T C

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Risk management frameworks and standards compared

Risk management frameworks and standards compared Community Conference for IT Professionals @ I T C A
Risk management frameworks and standards compared Community Conference for IT Professionals @ I T C A

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

RACI charts IT risk example

Key activities / Roles

Board

CEO

CRO

CIO

CFO

Enterprise Risk

Committee

Business

Management

Business Process

Owner

Risk Control

Functions

HR

Compliance and

Audit

Define IT risk analysis scope

 

I

R

C

I

C

A

R

C

 

C

Estimate IT risk

 

I

R

C

C

I

A/R

R

R

 

C

Identify risk response options

   

C

C

C

R

A

R

R

 

I

Perform a peer review of IT analysis

   

A/R

     

I

 

I

 

I

Perform enterprise IT risk assessment

I

A

R

R

C

I

R

C

R

C

C

Propose IT risk tolerance thresholds

I

I

C

R

C

I

A

C

C

 

C

Approve IT risk tolerance

A

C

C

C

C

R

C

C

C

C

C

Assign IT risk policy

C

A

R

R

R

C

R

R

R

R

C

Promote IT risk-aware culture

A

R

R

R

R

R

R

R

R

R

R

Encourage effective communication of IT risk

R

R

R

R

R

R

A

R

R

R

R

A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed

Responsible , Accountable , Consulted and/or Informed Community Conference for IT Professionals @ I T C

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Image source: coolrisk.com / Artist: Michael Mittag

Image source: coolrisk.com / Artist: Michael Mittag RISK GOVERNANCE Community Conference for IT Professionals @ I

RISK GOVERNANCE

coolrisk.com / Artist: Michael Mittag RISK GOVERNANCE Community Conference for IT Professionals @ I T C

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Risk governance, evaluation and response

Risk Governance

Establish and Maintain a Common Risk View

Integrate with Enterprise Risk Management (ERM)

Make Risk-aware Business Decisions

Risk Evaluation

Collect Data

Analyze Risk

Maintain Risk Profile

Risk Response

Articulate Risk

Manage Risk

React to Events

– Articulate Risk – Manage Risk – React to Events Community Conference for IT Professionals @
– Articulate Risk – Manage Risk – React to Events Community Conference for IT Professionals @

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

IT Risk Management Responsibilities and Accountability

IT Risk Management Responsibilities and Accountability Community Conference for IT Professionals @ I T C A
IT Risk Management Responsibilities and Accountability Community Conference for IT Professionals @ I T C A

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Image source: coolrisk.com / Artist: Michael Mittag

Image source: coolrisk.com / Artist: Michael Mittag RISK APPETITE AND RISK TOLERANCE Community Conference for IT

RISK APPETITE AND RISK TOLERANCE

/ Artist: Michael Mittag RISK APPETITE AND RISK TOLERANCE Community Conference for IT Professionals @ I

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Risk Appetite and Risk Tolerance

Risk Appetite: the amount of risk an entity is prepared to

accept when trying to achieve its objectives

Defining factors:

The enterprise’s objective capacity to absorb loss (e.g., financial loss, reputation damage)

The (management) culture or predisposition towards risk taking - cautious or aggressive (i.e. what is the amount of loss the enterprise wants to accept to pursue a return?)

Risk Tolerance: the tolerable deviation from the level set by

the risk appetite and business objectives

e.g., standards require projects to be completed within estimated

budgets and time, but overruns of 10 percent of budget or 20

percent of time are tolerated

of 10 percent of budget or 20 percent of time are tolerated Community Conference for IT

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Risk map

Risk map Community Conference for IT Professionals @ I T C A M P R O
Risk map Community Conference for IT Professionals @ I T C A M P R O

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Sample risk scenarios and risk appetite

Sample risk scenarios and risk appetite Community Conference for IT Professionals @ I T C A
Sample risk scenarios and risk appetite Community Conference for IT Professionals @ I T C A

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Elements of risk culture

Elements of risk culture Community Conference for IT Professionals @ I T C A M P
Elements of risk culture Community Conference for IT Professionals @ I T C A M P

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Image source: coolrisk.com / Artist: Michael Mittag

Image source: coolrisk.com / Artist: Michael Mittag RISK EVALUATION Community Conference for IT Professionals @ I

RISK EVALUATION

coolrisk.com / Artist: Michael Mittag RISK EVALUATION Community Conference for IT Professionals @ I T C

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Expressing IT risk in business terms

Expressing IT risk in business terms Community Conference for IT Professionals @ I T C A
Expressing IT risk in business terms Community Conference for IT Professionals @ I T C A

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

IT scenario development

IT scenario development Community Conference for IT Professionals @ I T C A M P R
IT scenario development Community Conference for IT Professionals @ I T C A M P R

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

IT risk scenario components

IT risk scenario components Community Conference for IT Professionals @ I T C A M P
IT risk scenario components Community Conference for IT Professionals @ I T C A M P

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Image source: coolrisk.com / Artist: Michael Mittag

Image source: coolrisk.com / Artist: Michael Mittag RISK RESPONSE Community Conference for IT Professionals @ I

RISK RESPONSE

source: coolrisk.com / Artist: Michael Mittag RISK RESPONSE Community Conference for IT Professionals @ I T

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Risk response overview

Identify Key Risk Indicators based on:

Impact

Effort to implement, measure and report

Reliability

Sensitivity

Decide on best response to risk

Avoidance

Reduction/Mitigation

Sharing/Transfer

Acceptance

Reduction/Mitigation – Sharing/Transfer – Acceptance Community Conference for IT Professionals @ I T C A M

Community Conference for IT Professionals

– Acceptance Community Conference for IT Professionals @ I T C A M P R O

@ITCAMPRO

#ITCAMP15

Image source: coolrisk.com / Artist: Michael Mittag

Image source: coolrisk.com / Artist: Michael Mittag IT RISK AS A CONTINUOUS PROCESS Community Conference for

IT RISK AS A CONTINUOUS PROCESS

/ Artist: Michael Mittag IT RISK AS A CONTINUOUS PROCESS Community Conference for IT Professionals @

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Risk IT maturity model

Risk IT maturity model Community Conference for IT Professionals @ I T C A M P
Risk IT maturity model Community Conference for IT Professionals @ I T C A M P

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Defining goals and metrics - example

Business Process Activity IT Goals Goals Goals Goal
Business
Process
Activity
IT Goals
Goals
Goals
Goal

Maintain

reputation

Activity IT Goals Goals Goals Goal Maintain reputation IT can resist to an attack Reduce unauthorized

IT can resist to an attack

Goals Goal Maintain reputation IT can resist to an attack Reduce unauthorized access Understand vulnerabilities

Reduce

unauthorized

access

IT can resist to an attack Reduce unauthorized access Understand vulnerabilities and threats Number of incidents

Understand vulnerabilities and threats

Number of incidents with business impact Number of incidents caused by unauthorized access
Number of incidents with
business impact
Number of incidents caused
by unauthorized access

Number of incidents with public embarrassment

Frequency of review

of incidents with public embarrassment Frequency of review Community Conference for IT Professionals @ I T

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Image source: coolrisk.com / Artist: Michael Mittag

Image source: coolrisk.com / Artist: Michael Mittag SUMMARY Community Conference for IT Professionals @ I T

SUMMARY

Image source: coolrisk.com / Artist: Michael Mittag SUMMARY Community Conference for IT Professionals @ I T

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Summary

Use best practices (such as COBIT®) to minimize IT Risks

Start with basic processes

Form a high level IT Strategy Committee

Formulate and implement IT Strategic Plan and IT policies

Allocate resources (budget, people, infrastructure)

Assign roles and responsibilities, authority and

accountability (using RACI chart)

Make IT a regular item on the board agenda

Regularly assess, review and monitor IT Risks

• Regularly assess , review and monitor IT Risks Community Conference for IT Professionals @ I

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Q & A

Q & A Image source: coolrisk.com / Artist: Michael Mittag Community Conference for IT Professionals @

Image source: coolrisk.com / Artist: Michael Mittag

Q & A Image source: coolrisk.com / Artist: Michael Mittag Community Conference for IT Professionals @

Community Conference for IT Professionals

@ITCAMPRO

#ITCAMP15

Thank you!

Tudor Damian

IT Solutions Specialist CEH, Hyper-V MVP tudy.tel

Damian IT Solutions Specialist CEH, Hyper-V MVP tudy.tel Community Conference for IT Professionals @ I T

Community Conference for IT Professionals

CEH, Hyper-V MVP tudy.tel Community Conference for IT Professionals @ I T C A M P
CEH, Hyper-V MVP tudy.tel Community Conference for IT Professionals @ I T C A M P

@ITCAMPRO

#ITCAMP15