Abstract image of a woman sitting on books and studying on a laptop

IT-Risk-Management Best Practice

Digicomp Academy AG, profile picture
Digicomp Academy AG

The document discusses IT risk management frameworks and processes. It provides an overview of ISO 31000 for risk management, ISO 27005 for information security risk management, and the ITGI RiskIT framework. Key points covered include defining risk, the risk management process, quantifying and treating IT risks, and consolidating risks across an organization.

BusinessEconomy & Finance
1 of 32
Downloaded 59 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
IT  Risk  Management   Digicomp  Hacking  Day,  11.06.2014   Umberto  Annino  
•  Wer  spricht?   Umberto  Annino   WirtschaCsinformaEker,  InformaEon  Security   •  Was  ist  ein  Risiko?   !  Sicherheit  ist  das  Komplementärereignis   zum  Risiko   !  Risiko  ist  Schaden  mit  Potenzial   2  
Risiko   3   Gefahr   Bedrohung   Schwach-­‐ stelle   Asset   Risiko  
Realitätsabgleich   Compliance?   Risk  Management?   OperaEonal  Risk,  Business  ConEnuity?   IT,  InformaEon  Security  –  Cyber  Security?   Red  Team,  Threat  Modeling,  APT  and  openSSL?   Big  Data???     Security  ™  vs.  Compliance  ™   4  
IT  Risiko  in  der  Risiko-­‐Hierarchie   5  
COSO   Enterprise  Risk  Management  Framework   6  
ISO  31000  Risk  Mgmt  (2009)   Guidelines  and  Principles  and  Framework   7  
ISO  31000  Framework   8  
ISO  31000   Processes   9  
ISO  31000  -­‐  Processes   10   Design  of   framework  for   managing  risk   Understanding  of  the  organisaEon  and  its  context   Establishing  risk  management  policy   Accountability   IntegraEon  into  organisaEonal  processes   Resources   Establishing  internal  communicaEon  and  reporEng  mechanisms   Establishing  external  communicaEon  and  reporEng  mechanisms   ImplemenEng   risk   management   ImplemenEng  the  framework  for  managing  risk   ImplemenEng  the  risk  management  process   Monitoring  and  review  of  the  framework   ConEnual  improvement  of  the  framework   !  Mandate  and  commitment  
ISO  31000  -­‐  Processes   11   Risk   Management   Process   CommunicaEon  and  consultaEon   Establishing  the  external  context   Establishing  the  internal  context   Establishing  the  context  of  the  risk   management  process   Defining  risk  criteria   Risk  assessment   Risk  idenEficaEon   Risk  analysis   Risk  evaluaEon   Risk  treatment   Monitoring  and  review   Recording  the  risk  management   process  
ISO  31000   Acributes  of  enhanced  risk  management   •  Key  outcomes   –  The  organisaEon  has  a  current,  correct  and   comprehensive  understanding  of  its  risks   –  The  organisaEon‘s  risks  are  within  its  risk  criteria   •  Acributes   –  ConEnual  improvement   –  Full  accountability  for  risks   –  ApplicaEon  of  risk  management  in  all  decision  making   –  ConEnual  communicaEons   –  Full  integraEon  in  the  organisaEon‘s  governance   structure   12  
ISO  27005   InformaEon  Security  Risk  Management   13  
ISO  27005   Context  Establishment   14   Basic   Criteria   Risk  management  approach   Risk  evaluaEon  criteria   Impact  criteria   Risk  acceptance  criteria   ! Scope  and  Boundaries   ! OrganisaEon  for  informaEon  security  risk  management  
ISO  27005   InformaEon  security  risk  assessment   15   Risk   idenEficaEon   IdenEficaEon  of  assets   IdenEficaEon  of  threats   IdenEficaEon  of  exisEng  controls   IdenEficaEon  of  vulnerabiliEes   IdenEficaEon  of  consequences   Risk  analysis   Risk  analysis  methodologies   Assessment  of  consequences   Assessment  of  incident  likelihood   Level  of  risk  determinaEon  
ITGI  RiskIT  Framework   PosiEonierung   16  
IT  Risk  (high  level)  categories   17  
RiskIT  Framework   18  
Risk  maps...   •  Risk   appeEte   •  Risk   tolerance   •  Risk   culture   19  
Risk  culture   20  
IT  risk  scenario  development   21  
Risk  scenario  components   22  
Aber:  scenario  based...   !  keeping  it  real!   23  
IT  Risk  Response   opEons  and   prioriEsaEon   24  
Verwalten  von  IT  Risiken   Risiko   management   Risiko   analyse   Risiko   idenEfikaEon   Konsolidierung   Link  to   business   Risiko   bewertung   QuanEtaEv   QualiEaEv   StaEsEsche   Basis   Risiko   lenkung   Risiko   bearbeitung   Admin   Disziplin/ Aufwand   Kosten   ROI   Risiko   tracking   Nachvollzieh-­‐   barkeit   Konstanz   (Zahlen)   25  
QuanEfizieren  von  IT  Risiken   26   Big  Data?  Loss  DB?   Komplexität  von  InformaEonssystemen  (und  SoCware)?  
QuanEfizieren  von  IT  Risiken   •  In  der  Praxis  eher  qualitaEv  stac  quanEtaEv   –  Fehlende  staEsEsche  Basis   –  Prinzipiell  komplexe  Systeme   –  Wenig  akuter  Bedarf  zur  QuanEfizierung  !  über   Verknüpfung  mit  Business  Process   •  Konsolidierung  der  Werte  für  Management   ReporEng  als  Grundlage  für  QuanEfikaEon   •  In  der  Praxis  eher  „erste  Schrice“  stac  best   pracEse   •  ISO  27005,  ITGI  RiskIT  Framework  und   PracEcEoner  Guide  bieten  brauchbare   Grundlagen  (Framework)   27  
Risk  Treatment   28   Risk   treatment   Avoid   Eliminate   Reduce   Minimize     Transfer   Externalize   Accept   Residual  Risk   Controls   Measures   Avoid  /   Verhindern   Detect  /   Entdecken   Minimize  /   Eindämmen  
Risk  Treatment  –  ISO  27005   29  
Konsolidieren  von  IT  Risiken   Disjointed  risks   30  
Konsolidieren  von  IT  Risiken   shared  risks   31  
32  

More Related Content

PPTX
IT Risk Management
Computer Aid, Inc
 
PDF
ISO 27005 Risk Assessment
Smart Assessment
 
PPTX
NIST 800 30 revision Sep 2012
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PPTX
Mastering Information Technology Risk Management
Goutama Bachtiar
 
PPTX
Iso27001 Risk Assessment Approach
tschraider
 
PPT
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
 
PPTX
Information systems risk assessment frame workisraf 130215042410-phpapp01
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PPTX
Risk Management and Remediation
Carahsoft
 
IT Risk Management
Computer Aid, Inc
 
ISO 27005 Risk Assessment
Smart Assessment
 
NIST 800 30 revision Sep 2012
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Mastering Information Technology Risk Management
Goutama Bachtiar
 
Iso27001 Risk Assessment Approach
tschraider
 
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Risk Management and Remediation
Carahsoft
 

What's hot (19)

PDF
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
PPT
Risk Based Security and Self Protection Powerpoint
randalje86
 
PPT
Review of Enterprise Security Risk Management
Rand W. Hirt
 
PPTX
Risk management ISO 27001 Standard
Tharindunuwan9
 
PPT
Risk Management 101
Barry Caplin
 
PPT
Security Maturity Assessment
Claude Baudoin
 
PDF
Risk Assessments
JoAnna Cheshire
 
PDF
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Ahmed Al Enizi
 
PPSX
Risk Management Remediation Overview
Russ Pizzuto
 
PDF
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
Denise Tawwab
 
PDF
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Smart Assessment
 
PPTX
Microsoft Risk Management
Ulukman Mamytov
 
PPTX
Risk Management Methodology - Copy
Rabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
PPT
Social Enterprise Learning Toolkit (Risk Management Module)
Enterprising Non-Profits
 
PPTX
Information Security Cost Effective Managed Services
Jorge Sebastiao
 
PDF
IIA Facilitated Risk Workshop
Ersoy AKSOY
 
PPTX
Information Security Risk Management
Nikhil Soni
 
PPTX
Cse it seminar ppt1, An Approach To IT Project Management
Girija Sankar Dash
 
PPTX
Risk management in Software Industry
Rehan Akhtar
 
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Risk Based Security and Self Protection Powerpoint
randalje86
 
Review of Enterprise Security Risk Management
Rand W. Hirt
 
Risk management ISO 27001 Standard
Tharindunuwan9
 
Risk Management 101
Barry Caplin
 
Security Maturity Assessment
Claude Baudoin
 
Risk Assessments
JoAnna Cheshire
 
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Ahmed Al Enizi
 
Risk Management Remediation Overview
Russ Pizzuto
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
Denise Tawwab
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Smart Assessment
 
Microsoft Risk Management
Ulukman Mamytov
 
Risk Management Methodology - Copy
Rabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
Social Enterprise Learning Toolkit (Risk Management Module)
Enterprising Non-Profits
 
Information Security Cost Effective Managed Services
Jorge Sebastiao
 
IIA Facilitated Risk Workshop
Ersoy AKSOY
 
Information Security Risk Management
Nikhil Soni
 
Cse it seminar ppt1, An Approach To IT Project Management
Girija Sankar Dash
 
Risk management in Software Industry
Rehan Akhtar
 
Ad

Viewers also liked (19)

PPTX
Hacking Homework - AR triggered by GPS locations, tactile objects or print
Brendan O'Keefe
 
PPTX
QR codes and their application in libraries
Geoffrey Lowe
 
PPSX
A quick response to promoting library services - How you can use QR Codes
Scott Hibberson
 
PPTX
Qr Codes & Simple Augmented Reality in Academic Libraries - Oct. 2010
Robin M. Ashford, MSLIS
 
PPT
QR CODES IN AN ACADEMIC SETTING
genelg
 
PPTX
Sncs2015 cybersecurityy risk and control jakarta 3-4 juni 2015 ver01
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
PDF
IT Governance
Carlos Chalico
 
PPTX
The Books "AR" Alive-Augmented Reality in Books
Cindy Wright
 
PDF
Sejarah Lisan Tajuk 1
Alif Akram
 
PPTX
IT Policy
SensewareInfomedia
 
PDF
Sejarah Lisan Tajuk 2
Alif Akram
 
PPT
3.5 ICT Policies
mrmwood
 
PDF
182764707 nota-sjh3104-sejarah-lisan-dan-pendokumentasian-bab-1-docx
firo HAR
 
PPT
Pengurusan risiko projek
Amir Sagiran
 
PPT
3.4 ict strategy
mrmwood
 
PPTX
How Augmented Reality can Boost Print Book Sales!
Reality Premedia
 
PPT
Modul 1 pengurusan projek
Universiti Kebangsaan Malaysia (UKM)
 
PDF
Kooperative VR - Collaborative Virtual Engineering: VDC-Whitepaper
Virtual Dimension Center (VDC) Fellbach
 
PPTX
The new ISO 9001:2015
Reza Seifollahy
 
Hacking Homework - AR triggered by GPS locations, tactile objects or print
Brendan O'Keefe
 
QR codes and their application in libraries
Geoffrey Lowe
 
A quick response to promoting library services - How you can use QR Codes
Scott Hibberson
 
Qr Codes & Simple Augmented Reality in Academic Libraries - Oct. 2010
Robin M. Ashford, MSLIS
 
QR CODES IN AN ACADEMIC SETTING
genelg
 
Sncs2015 cybersecurityy risk and control jakarta 3-4 juni 2015 ver01
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
IT Governance
Carlos Chalico
 
The Books "AR" Alive-Augmented Reality in Books
Cindy Wright
 
Sejarah Lisan Tajuk 1
Alif Akram
 
IT Policy
SensewareInfomedia
 
Sejarah Lisan Tajuk 2
Alif Akram
 
3.5 ICT Policies
mrmwood
 
182764707 nota-sjh3104-sejarah-lisan-dan-pendokumentasian-bab-1-docx
firo HAR
 
Pengurusan risiko projek
Amir Sagiran
 
3.4 ict strategy
mrmwood
 
How Augmented Reality can Boost Print Book Sales!
Reality Premedia
 
Modul 1 pengurusan projek
Universiti Kebangsaan Malaysia (UKM)
 
Kooperative VR - Collaborative Virtual Engineering: VDC-Whitepaper
Virtual Dimension Center (VDC) Fellbach
 
The new ISO 9001:2015
Reza Seifollahy
 
Ad

Similar to IT-Risk-Management Best Practice (20)

PPTX
Risk Assessment
.AIR UNIVERSITY ISLAMABAD
 
PPTX
Risk - IT Services
Nema Chhaya Buch
 
PPT
Risk Management Training 2013
Vicky Ames
 
PDF
Information Risk Management - Cyber Risk Management - IT Risks
Hernan Huwyler, MBA CPA
 
PDF
Visió holística de la gestio de riscos de les TIC
CSUC - Consorci de Serveis Universitaris de Catalunya
 
DOCX
INFORMATION SECURITY MANAGEMENT
Ni
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
PDF
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
PDF
𝐂𝐑𝐈𝐒𝐂 𝐌𝐢𝐧𝐝 𝐌𝐚𝐩 𝐟𝐨𝐫 𝐄𝐟𝐟𝐞𝐜𝐭𝐢𝐯𝐞 𝐑𝐢𝐬𝐤 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞
Mansi Kandari
 
PDF
CRISC Domains Mind Map InfosecTrain .pdf
infosec train
 
PDF
𝐂𝐑𝐈𝐒𝐂 𝐌𝐢𝐧𝐝 𝐌𝐚𝐩 𝐟𝐨𝐫 𝐄𝐟𝐟𝐞𝐜𝐭𝐢𝐯𝐞 𝐑𝐢𝐬𝐤 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞.pdf
InfosecTrain Education
 
PDF
𝐂𝐑𝐈𝐒𝐂 𝐌𝐢𝐧𝐝 𝐌𝐚𝐩 𝐟𝐨𝐫 𝐄𝐟𝐟𝐞𝐜𝐭𝐢𝐯𝐞 𝐑𝐢𝐬𝐤 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞
priyanshamadhwal2
 
PDF
𝐌𝐚𝐬𝐭𝐞𝐫𝐢𝐧𝐠 𝐂𝐑𝐈𝐒𝐂 𝐃𝐨𝐦𝐚𝐢𝐧𝐬: 𝐄𝐥𝐞𝐯𝐚𝐭𝐞 𝐘𝐨𝐮𝐫 𝐑𝐢𝐬𝐤 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐆𝐚𝐦𝐞!
Mansi Kandari
 
PDF
Management of Risk and its integration within ITIL
hdoornbos
 
PPTX
Info sec 2011 julen c mohanty
Julen Mohanty
 
PPTX
Info sec 2011 julen c mohanty
Julen Mohanty
 
PPTX
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
jamiejohngianna
 
PPTX
Risk managemet made easy
sheyam selvaraj
 
PDF
Risk management automation
sheyam selvaraj
 
Risk Assessment
.AIR UNIVERSITY ISLAMABAD
 
Risk - IT Services
Nema Chhaya Buch
 
Risk Management Training 2013
Vicky Ames
 
Information Risk Management - Cyber Risk Management - IT Risks
Hernan Huwyler, MBA CPA
 
Visió holística de la gestio de riscos de les TIC
CSUC - Consorci de Serveis Universitaris de Catalunya
 
INFORMATION SECURITY MANAGEMENT
Ni
 
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
𝐂𝐑𝐈𝐒𝐂 𝐌𝐢𝐧𝐝 𝐌𝐚𝐩 𝐟𝐨𝐫 𝐄𝐟𝐟𝐞𝐜𝐭𝐢𝐯𝐞 𝐑𝐢𝐬𝐤 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞
Mansi Kandari
 
CRISC Domains Mind Map InfosecTrain .pdf
infosec train
 
𝐂𝐑𝐈𝐒𝐂 𝐌𝐢𝐧𝐝 𝐌𝐚𝐩 𝐟𝐨𝐫 𝐄𝐟𝐟𝐞𝐜𝐭𝐢𝐯𝐞 𝐑𝐢𝐬𝐤 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞.pdf
InfosecTrain Education
 
𝐂𝐑𝐈𝐒𝐂 𝐌𝐢𝐧𝐝 𝐌𝐚𝐩 𝐟𝐨𝐫 𝐄𝐟𝐟𝐞𝐜𝐭𝐢𝐯𝐞 𝐑𝐢𝐬𝐤 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞
priyanshamadhwal2
 
𝐌𝐚𝐬𝐭𝐞𝐫𝐢𝐧𝐠 𝐂𝐑𝐈𝐒𝐂 𝐃𝐨𝐦𝐚𝐢𝐧𝐬: 𝐄𝐥𝐞𝐯𝐚𝐭𝐞 𝐘𝐨𝐮𝐫 𝐑𝐢𝐬𝐤 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐆𝐚𝐦𝐞!
Mansi Kandari
 
Management of Risk and its integration within ITIL
hdoornbos
 
Info sec 2011 julen c mohanty
Julen Mohanty
 
Info sec 2011 julen c mohanty
Julen Mohanty
 
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
jamiejohngianna
 
Risk managemet made easy
sheyam selvaraj
 
Risk management automation
sheyam selvaraj
 

More from Digicomp Academy AG (20)

PDF
Becoming Agile von Christian Botta – Personal Swiss Vortrag 2019
Digicomp Academy AG
 
PDF
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
Digicomp Academy AG
 
PPTX
Innovation durch kollaboration gennex 2018
Digicomp Academy AG
 
PDF
Roger basler meetup_digitale-geschaeftsmodelle-entwickeln_handout
Digicomp Academy AG
 
PDF
Roger basler meetup_21082018_work-smarter-not-harder_handout
Digicomp Academy AG
 
PDF
Xing expertendialog zu nudge unit x
Digicomp Academy AG
 
PDF
Responsive Organisation auf Basis der Holacracy – nur ein Hype oder die Zukunft?
Digicomp Academy AG
 
PDF
IPv6 Security Talk mit Joe Klein
Digicomp Academy AG
 
PDF
Agiles Management - Wie geht das?
Digicomp Academy AG
 
PPTX
Gewinnen Sie Menschen und Ziele - Referat von Andi Odermatt
Digicomp Academy AG
 
PDF
Querdenken mit Kreativitätsmethoden – XING Expertendialog
Digicomp Academy AG
 
PDF
Xing LearningZ: Digitale Geschäftsmodelle entwickeln
Digicomp Academy AG
 
PDF
Swiss IPv6 Council: The Cisco-Journey to an IPv6-only Building
Digicomp Academy AG
 
PDF
UX – Schlüssel zum Erfolg im Digital Business
Digicomp Academy AG
 
PDF
Minenfeld IPv6
Digicomp Academy AG
 
PDF
Was ist design thinking
Digicomp Academy AG
 
PDF
Die IPv6 Journey der ETH Zürich
Digicomp Academy AG
 
PDF
Zahlen Battle: klassische werbung vs.online-werbung-somexcloud
Digicomp Academy AG
 
PDF
General data protection regulation-slides
Digicomp Academy AG
 
PDF
Möglichkeiten der Online-Werbung - Referat von Matteo Schürch
Digicomp Academy AG
 
Becoming Agile von Christian Botta – Personal Swiss Vortrag 2019
Digicomp Academy AG
 
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
Digicomp Academy AG
 
Innovation durch kollaboration gennex 2018
Digicomp Academy AG
 
Roger basler meetup_digitale-geschaeftsmodelle-entwickeln_handout
Digicomp Academy AG
 
Roger basler meetup_21082018_work-smarter-not-harder_handout
Digicomp Academy AG
 
Xing expertendialog zu nudge unit x
Digicomp Academy AG
 
Responsive Organisation auf Basis der Holacracy – nur ein Hype oder die Zukunft?
Digicomp Academy AG
 
IPv6 Security Talk mit Joe Klein
Digicomp Academy AG
 
Agiles Management - Wie geht das?
Digicomp Academy AG
 
Gewinnen Sie Menschen und Ziele - Referat von Andi Odermatt
Digicomp Academy AG
 
Querdenken mit Kreativitätsmethoden – XING Expertendialog
Digicomp Academy AG
 
Xing LearningZ: Digitale Geschäftsmodelle entwickeln
Digicomp Academy AG
 
Swiss IPv6 Council: The Cisco-Journey to an IPv6-only Building
Digicomp Academy AG
 
UX – Schlüssel zum Erfolg im Digital Business
Digicomp Academy AG
 
Minenfeld IPv6
Digicomp Academy AG
 
Was ist design thinking
Digicomp Academy AG
 
Die IPv6 Journey der ETH Zürich
Digicomp Academy AG
 
Zahlen Battle: klassische werbung vs.online-werbung-somexcloud
Digicomp Academy AG
 
General data protection regulation-slides
Digicomp Academy AG
 
Möglichkeiten der Online-Werbung - Referat von Matteo Schürch
Digicomp Academy AG
 

Recently uploaded (20)

PDF
the role of manager in strategic alliances
AdvisorCampaigns
 
PPTX
Chapter 2 strategic Presentation (6).pptx
5624212u
 
PDF
Handouts for Housekeeping.pdfbababvsvvNnnh
MarkallainFrancisco
 
PPTX
UNIT 3 INTERNATIONAL BUSINESS [Autosaved].pptx
pratyanshvish01
 
PPTX
IMM.pptx marketing communication givguhfh thfyu
aruntambralli3813
 
PDF
Chembond Chemicals Limited Presentation 2025
Chembond Chemicals Limited
 
PDF
Clouds that Assimilate the Build Parts I&II .pdf
Brij Consulting, LLC
 
PDF
Comments on Clouds that Assimilate Parts I&II.pdf
Brij Consulting, LLC
 
PDF
dataZense for Data Analytics unleashed features
Chainsys SEO
 
PPTX
IndustrialAIGuerillaInnovatorsARCPodcastEp3.pptx
Colin Masson
 
PDF
The Influence of Historical Figures on Legal Communication (www.kiu.ac.ug)
publication11
 
PPT
BCG内部幻灯片撰写. slide template BCG.slide template
d746tpyhkt
 
PDF
The Impact of Historical Events on Legal Communication Styles (www.kiu.ac.ug)
publication11
 
PDF
How to run a consulting project from scratch
P&CO
 
PPTX
Week2: Market and Marketing Aspect of Feasibility Study.pptx
IgoFebrianto1
 
PPTX
Leadership and leader jobs and ch - 2.pptx
dude28777
 
PPTX
Supply Chain under WAR (Managing Supply Chain Amid Political Conflict).pptx
Mohamed Abu Rahal
 
PDF
757557697-CERTIKIT-ISO22301-Implementation-Guide-v6.pdf
purdiantayo1
 
PPTX
Understanding Procurement Strategies.pptx Your score increases as you pick a ...
ssuser886aa1
 
PPTX
PwC consulting Powerpoint Graphics 2014 templates
tjmajingyan
 
the role of manager in strategic alliances
AdvisorCampaigns
 
Chapter 2 strategic Presentation (6).pptx
5624212u
 
Handouts for Housekeeping.pdfbababvsvvNnnh
MarkallainFrancisco
 
UNIT 3 INTERNATIONAL BUSINESS [Autosaved].pptx
pratyanshvish01
 
IMM.pptx marketing communication givguhfh thfyu
aruntambralli3813
 
Chembond Chemicals Limited Presentation 2025
Chembond Chemicals Limited
 
Clouds that Assimilate the Build Parts I&II .pdf
Brij Consulting, LLC
 
Comments on Clouds that Assimilate Parts I&II.pdf
Brij Consulting, LLC
 
dataZense for Data Analytics unleashed features
Chainsys SEO
 
IndustrialAIGuerillaInnovatorsARCPodcastEp3.pptx
Colin Masson
 
The Influence of Historical Figures on Legal Communication (www.kiu.ac.ug)
publication11
 
BCG内部幻灯片撰写. slide template BCG.slide template
d746tpyhkt
 
The Impact of Historical Events on Legal Communication Styles (www.kiu.ac.ug)
publication11
 
How to run a consulting project from scratch
P&CO
 
Week2: Market and Marketing Aspect of Feasibility Study.pptx
IgoFebrianto1
 
Leadership and leader jobs and ch - 2.pptx
dude28777
 
Supply Chain under WAR (Managing Supply Chain Amid Political Conflict).pptx
Mohamed Abu Rahal
 
757557697-CERTIKIT-ISO22301-Implementation-Guide-v6.pdf
purdiantayo1
 
Understanding Procurement Strategies.pptx Your score increases as you pick a ...
ssuser886aa1
 
PwC consulting Powerpoint Graphics 2014 templates
tjmajingyan
 

IT-Risk-Management Best Practice

  • 1. IT  Risk  Management   Digicomp  Hacking  Day,  11.06.2014   Umberto  Annino  
  • 2. •  Wer  spricht?   Umberto  Annino   WirtschaCsinformaEker,  InformaEon  Security   •  Was  ist  ein  Risiko?   !  Sicherheit  ist  das  Komplementärereignis   zum  Risiko   !  Risiko  ist  Schaden  mit  Potenzial   2  
  • 3. Risiko   3   Gefahr   Bedrohung   Schwach-­‐ stelle   Asset   Risiko  
  • 4. Realitätsabgleich   Compliance?   Risk  Management?   OperaEonal  Risk,  Business  ConEnuity?   IT,  InformaEon  Security  –  Cyber  Security?   Red  Team,  Threat  Modeling,  APT  and  openSSL?   Big  Data???     Security  ™  vs.  Compliance  ™   4  
  • 5. IT  Risiko  in  der  Risiko-­‐Hierarchie   5  
  • 6. COSO   Enterprise  Risk  Management  Framework   6  
  • 7. ISO  31000  Risk  Mgmt  (2009)   Guidelines  and  Principles  and  Framework   7  
  • 10. ISO  31000  -­‐  Processes   10   Design  of   framework  for   managing  risk   Understanding  of  the  organisaEon  and  its  context   Establishing  risk  management  policy   Accountability   IntegraEon  into  organisaEonal  processes   Resources   Establishing  internal  communicaEon  and  reporEng  mechanisms   Establishing  external  communicaEon  and  reporEng  mechanisms   ImplemenEng   risk   management   ImplemenEng  the  framework  for  managing  risk   ImplemenEng  the  risk  management  process   Monitoring  and  review  of  the  framework   ConEnual  improvement  of  the  framework   !  Mandate  and  commitment  
  • 11. ISO  31000  -­‐  Processes   11   Risk   Management   Process   CommunicaEon  and  consultaEon   Establishing  the  external  context   Establishing  the  internal  context   Establishing  the  context  of  the  risk   management  process   Defining  risk  criteria   Risk  assessment   Risk  idenEficaEon   Risk  analysis   Risk  evaluaEon   Risk  treatment   Monitoring  and  review   Recording  the  risk  management   process  
  • 12. ISO  31000   Acributes  of  enhanced  risk  management   •  Key  outcomes   –  The  organisaEon  has  a  current,  correct  and   comprehensive  understanding  of  its  risks   –  The  organisaEon‘s  risks  are  within  its  risk  criteria   •  Acributes   –  ConEnual  improvement   –  Full  accountability  for  risks   –  ApplicaEon  of  risk  management  in  all  decision  making   –  ConEnual  communicaEons   –  Full  integraEon  in  the  organisaEon‘s  governance   structure   12  
  • 13. ISO  27005   InformaEon  Security  Risk  Management   13  
  • 14. ISO  27005   Context  Establishment   14   Basic   Criteria   Risk  management  approach   Risk  evaluaEon  criteria   Impact  criteria   Risk  acceptance  criteria   ! Scope  and  Boundaries   ! OrganisaEon  for  informaEon  security  risk  management  
  • 15. ISO  27005   InformaEon  security  risk  assessment   15   Risk   idenEficaEon   IdenEficaEon  of  assets   IdenEficaEon  of  threats   IdenEficaEon  of  exisEng  controls   IdenEficaEon  of  vulnerabiliEes   IdenEficaEon  of  consequences   Risk  analysis   Risk  analysis  methodologies   Assessment  of  consequences   Assessment  of  incident  likelihood   Level  of  risk  determinaEon  
  • 16. ITGI  RiskIT  Framework   PosiEonierung   16  
  • 17. IT  Risk  (high  level)  categories   17  
  • 19. Risk  maps...   •  Risk   appeEte   •  Risk   tolerance   •  Risk   culture   19  
  • 21. IT  risk  scenario  development   21  
  • 23. Aber:  scenario  based...   !  keeping  it  real!   23  
  • 24. IT  Risk  Response   opEons  and   prioriEsaEon   24  
  • 25. Verwalten  von  IT  Risiken   Risiko   management   Risiko   analyse   Risiko   idenEfikaEon   Konsolidierung   Link  to   business   Risiko   bewertung   QuanEtaEv   QualiEaEv   StaEsEsche   Basis   Risiko   lenkung   Risiko   bearbeitung   Admin   Disziplin/ Aufwand   Kosten   ROI   Risiko   tracking   Nachvollzieh-­‐   barkeit   Konstanz   (Zahlen)   25  
  • 26. QuanEfizieren  von  IT  Risiken   26   Big  Data?  Loss  DB?   Komplexität  von  InformaEonssystemen  (und  SoCware)?  
  • 27. QuanEfizieren  von  IT  Risiken   •  In  der  Praxis  eher  qualitaEv  stac  quanEtaEv   –  Fehlende  staEsEsche  Basis   –  Prinzipiell  komplexe  Systeme   –  Wenig  akuter  Bedarf  zur  QuanEfizierung  !  über   Verknüpfung  mit  Business  Process   •  Konsolidierung  der  Werte  für  Management   ReporEng  als  Grundlage  für  QuanEfikaEon   •  In  der  Praxis  eher  „erste  Schrice“  stac  best   pracEse   •  ISO  27005,  ITGI  RiskIT  Framework  und   PracEcEoner  Guide  bieten  brauchbare   Grundlagen  (Framework)   27  
  • 28. Risk  Treatment   28   Risk   treatment   Avoid   Eliminate   Reduce   Minimize     Transfer   Externalize   Accept   Residual  Risk   Controls   Measures   Avoid  /   Verhindern   Detect  /   Entdecken   Minimize  /   Eindämmen  
  • 29. Risk  Treatment  –  ISO  27005   29  
  • 30. Konsolidieren  von  IT  Risiken   Disjointed  risks   30  
  • 31. Konsolidieren  von  IT  Risiken   shared  risks   31  
  • 32. 32