SlideShare une entreprise Scribd logo

RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS

C
Christina33713

As an information security professional, it is your role to take on the cybersecurity challenges in your organization. That is where a solid understanding of Risk Management comes in. Risk Management is a lot like a chess game. To succeed you need to understand the risks ahead and be able to plot future scenarios, to weigh up the relative impacts and then plan accordingly. Scroll through this slideshare to learn about 4 essential frameworks.

Gouvernement et associations à but non lucratif
1  sur  13
Télécharger pour lire hors ligne
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
Developing a Risk Management Strategy with CAP As an information security professional, it is your role to take on the cybersecurity challenges in your organization. That is where a solid understanding of Risk Management comes in. Risk Management is a lot like a chess game. To succeed you need to understand the risks ahead and be able to plot future scenarios, to weigh up the relative impacts and then plan accordingly. The Certified Authorization Professional (CAP) certification attests to professionals’ expertise in risk assessment and security authorization. Learn More about (ISC)2 ’s CAP Certification and Training Options. 2
Risk management is the process of identifying, assessing and controlling threats to an organization’s capital and earnings. In many ways, risk management is very similar to a chess game. Of course, the main difference is that chess is only a game, with predefined rules, but the strategies are easily transferrable to how risk management works. Think of a chess board. It is a deceptively simple, predefined field of 64 squares. In a risk management scenario, the operational field is also predefined for the industry in which the risk register is quantified. Careful risk planning is about anticipating risks to a specific industry, rather than flights of fancy. This is why it is important to have a qualified professional who is well-versed in various risk frameworks on your team. 3 What is Risk Management?
Benefits of Risk Management The opening moves of a chess game can have a lasting impact throughout the entire contest. The most amazing part of the game is that no pieces are hidden from view. How could such an obvious layout of pieces, all with set rules for their movement, have seemingly infinite outcomes? This is due to the robustness of strategy offered through the careful orchestration of all the pieces working together. A robust risk management strategy has many benefits, and must also function in a prudently managed mode. Some ways that a sound risk management strategy can work to protect a company include: • Protecting its future by considering the risks or events before they occur • Helping a company establish procedures: – To avoid potential threats – Minimize their impact should they occur and – Cope with the results • Creating a safe and secure environment for all employees and customers 4
5 How Frameworks Help Manage Risk Sometimes, constraints can be crippling. A beginner in chess will often wonder why a piece can only move a certain way. This presents often frustrating predicaments. Yet, as one progresses and becomes more accustomed to the movements, patterns emerge that can be liberating. What was once an empty framework becomes an empty canvas with multiple possibilities. A framework acts as a skeleton, and can give the total enterprise risk management strategy a proper guideline with steps to follow. They are used to: • Assess the state of the overall security program • Build a comprehensive security program • Measure maturity and conduct industry comparisons • Simplify communications with business leaders
There are 7 important principles in chess that can help guide your approach to implementing a successful risk management framework. 1. Develop all your pieces 2. Create a favorable structure 3. Restrict your opponent’s pieces 4. Neutralize your opponent’s plan 5. Accumulate small advantages 6. Convert temporary advantages into permanent ones 7. Don’t take unnecessary chances Start by choosing the most appropriate frameworks for your organization and build resilience over time using these same principles. The Most Important Principles 6
7 The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) provides a flexible, holistic and repeatable 7-step process to manage security and privacy risk: 1. Prepare for risk management through essential activities critical to design and implementation of a risk management program 2. Categorize Information Systems 3. Select Security Controls 4. Implement Security Controls 5. Assess Security Controls 6. Authorize Information Systems 7. Continuously Monitor Security Controls NIST Risk Management Framework The Legendary Move NIST RMF RISK MANAGEMENT FRAMEWORK nist.gov/rmf CATEGORIZE S E L E C T I M P L E M E N T A S S E S S A U T H O R I Z E M O N I T O R P REPARE
8 ISO 27001 “Information technology — Security techniques — Information security management systems — Requirements” is a framework that helps organizations “establish, implement, operate, monitor, review, maintain and continually improve an ISMS” . The basic goal of ISO 27001 is to protect the confidentiality, integrity and availability of information. There are 5 steps for an effective ISO 27001 risk assessment: 1. Establish a risk management framework 2. Identify risks 3. Analyze risks 4. Evaluate risks 5. Select risk treatment options ISO 27001 The Thunderbolt Gambit ISO 27001 MANAGEMENT SYSTEM CLAUSES Scope, normative references and terms and definitions. Internal and external issues that may be relevant to the business and to the achievement of the objectives of the ISMS. Includes confirming interested parties and scope. How top management will support the ISMS by creating roles and measures to implement and monitor it. Includes developing an information security policy aligned to business objectives. How the organization creates actions to address risks. Includes setting information security objectives. Securing the right resources, the right people and the right infrastructure to manage and maintain the ISMS. How the plans and processes will be executed, including documentation that needs to be produced. How the organization will monitor, measure, analyze and evaluate the ISMS. Corrective action and continual improvement requirements. 1 2 3 4 5 6 7 8 9 10 CONTEXT CONTEXT 4 4 7 SUPPO RT LEADERSHIP 5 ASSESS RISKS ASSESS RISKS 6 & 8 6 & 8 6 PLANNING 1 0 I M P R O V E 8 O P E R A T I O N 9 PERFORMANCE EVALUATION
9 ISO 31000 is an international standard for risk management that provides a set of principles, a risk management framework and a risk management process, which helps organizations take a proactive approach to risks they face. The ISO 31000 standard has 8 principles: 1. Integrated into all business operations and activities 2. Structured and comprehensive 3. Tailored to the organization’s goals and business environment 4. Inclusive and involving all responsible stakeholders 5. Robust and dynamic, adapting to the evolving risk landscape 6. Limitations of available information should be considered 7. Human and cultural factors should be considered 8. The risk management framework is continuously improved through lessons learnt, feedback, and experience ISO 31000 The Stunner Switch VALUE CREATION AND PROTECTION C O N T I N U A L I M P R O V E M E N T HUMAN AND CULTURAL FACTORS BEST AVAILABLE INFORMATION I N T E G R A T E D STRUCTURED AND COMPREHENSIVE CUSTOMIZED I N C L U S I V E D Y N A M I C
10 COBIT is an IT management framework developed by ISACA to help businesses develop, organize and implement strategies around information management and governance. The framework includes 40 objectives and focuses specifically on: • Security • Risk Management • Information Governance Control Objectives for Information Technologies (COBIT) The King’s Counter 1. WHAT ARE THE DRIVERS? 2 . W H E R E A R E W E N O W ? 6 . D I D W E G E T T H E R E ? THE M OMENTUM GOING? 7. HOW DO WE KEEP INITIATE PROGRAM R E A L I Z E B E N E F I T S EFFECTIVENESS O P P O R T U N I T I E S REVIEW D E F I N E P R O B L E M S A N D I M P L E M E N T A T I O N SUSTAIN F O R M T E A M ESTABLISH DESIRE E M B E D N E W TO CHANGE A P P R O A C H E S R E C O G N I Z E N E E D T O A C T ASSESS CURRENT STATE BUILD IMPROVEMENTS DEFIN E TARGET STATE IM PLEM ENT IM PRO VEM ENTS OPERATE AND MEASURE M O N I T O R A N D E V A L U A T E 5 . H O W D O W E G E T THERE? 4. WHAT NEEDS TO BE DONE? 3. W HERE D O W E W A N T T O B E ? E X E C U T E P LAN PLAN PROGRAM DEFIN E R O A D M A P O P E R A T E A N D USE IDENTIFY ROLE CO M M U N I C A T E PLAYERS O U T C O M E •PROGRAM MANAGEMENT (outer ring) •CHANGE ENABLEMENT (middle ring) •CONTINUAL IMPROVEMENT LIFE CYCLE (inner ring)
The Amazing Endgame Chess is not an easy game to master. However, the correct understanding of the nuances can make all the difference in one’s enjoyment of such a challenging endeavour. Similarly, a solid risk management approach is based on many of the same principles that make any disciplined undertaking valuable. The difference is that, with risk management, the stakes are higher, as the protection of the organization is the goal. Understanding, selecting and applying the right framework falls within the responsibilities of a CAP. CAP professionals possess the knowledge to: • Understand the foundations • Define the scope • Select and approve security and privacy controls • Implement the selected security and privacy controls • Assess the applicability and effectiveness of established security and privacy controls • Authorize an Information System. • Establish continuous monitoring to adapt to the changing risk environment The Role of a Certified Authorization Professional (CAP) 11
12 The CAP certification shows employers you have the advanced technical skills and knowledge to understand Governance, Risk and Compliance (GRC) and can authorize and maintain information systems utilizing various risk management frameworks, as well as best practices, policies and procedures. The CAP is ideal for IT, information security and information assurance practitioners who work in GRC roles and have a need to understand, apply and/or implement a risk management program for IT systems within an organization. Work in government? See how the CAP meets the U.S. Department of Defense (DoD) Directive 8570.1. Explore our (ISC)2 Official CAP training options: online instructor-led, or self-study tools. Learn More about CAP: Cybersecurity’s Specialized Risk Management Security Certification
13 Want More Insights? Read Our Latest CAP Resources: Your Guide to Mitigating Evolving Risk Get the Guide Advance Your Information Security Career Strategy Read the eBook For more guidance, contact your local office: Looking to train your team? Get Team Consult Americas +1.866.331.4722 ext. 2 training@isc2.org EMEA +44-203-960-7800 info-emea@isc2.org Asia-Pacific +852-2850 6951 isc2asia@isc2.org

Recommandé

Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk ManagementGoutama Bachtiar
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesSlideTeam
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 

Recommandé

Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk ManagementGoutama Bachtiar
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesSlideTeam
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksInternational Federation of Accountants
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review ChecklistEberly Wilson
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Andrew Smart
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005PECB
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideSlideTeam
 
KRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITKRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITMax Neira Schliemann
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Risk Identification Process PowerPoint Presentation Slides
Risk Identification Process PowerPoint Presentation SlidesRisk Identification Process PowerPoint Presentation Slides
Risk Identification Process PowerPoint Presentation SlidesSlideTeam
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Governance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionGovernance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionRishabh Software
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxinfosec train
 
PB CV v0.4
PB CV v0.4PB CV v0.4
PB CV v0.4Pedro Borracha
 

Contenu connexe

Tendances

Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksInternational Federation of Accountants
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review ChecklistEberly Wilson
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Andrew Smart
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005PECB
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideSlideTeam
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Risk Identification Process PowerPoint Presentation Slides
Risk Identification Process PowerPoint Presentation SlidesRisk Identification Process PowerPoint Presentation Slides
Risk Identification Process PowerPoint Presentation SlidesSlideTeam
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Governance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionGovernance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionRishabh Software
 

Tendances (20)

Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
 
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation Slide
 
KRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITKRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & IT
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills Audit
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
 
Risk Identification Process PowerPoint Presentation Slides
Risk Identification Process PowerPoint Presentation SlidesRisk Identification Process PowerPoint Presentation Slides
Risk Identification Process PowerPoint Presentation Slides
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Governance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionGovernance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management Solution
 

Similaire à RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS

Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxinfosec train
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
ASMC 2017 - Rudy Neefs - Van bedrijfspolitieman naar kritieke businesspartner
ASMC 2017 - Rudy Neefs - Van bedrijfspolitieman naar kritieke businesspartnerASMC 2017 - Rudy Neefs - Van bedrijfspolitieman naar kritieke businesspartner
ASMC 2017 - Rudy Neefs - Van bedrijfspolitieman naar kritieke businesspartnerPlatformSecurityManagement
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdfsdfghj21
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
Discussion1Explaining the results of Efficient Frontier Analysis.docx
Discussion1Explaining the results of Efficient Frontier Analysis.docxDiscussion1Explaining the results of Efficient Frontier Analysis.docx
Discussion1Explaining the results of Efficient Frontier Analysis.docxmadlynplamondon
 
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTTHE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTIJNSA Journal
 
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTTHE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTIJNSA Journal
 
Corporate and Project Risk Management Toolkit
Corporate and Project Risk Management Toolkit Corporate and Project Risk Management Toolkit
Corporate and Project Risk Management Toolkit Aurelien Domont, MBA
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadsavassociates1
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainSanjay Chadha, CPA, CA
 
Risk Management Toolkit
Risk Management ToolkitRisk Management Toolkit
Risk Management ToolkitPeterFranz6
 
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiDaneWarren
 
Risk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_ArticulateRisk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_ArticulateAnthony Chiusano
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureSuresh Kanniappan
 

Similaire à RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS (20)

Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptx
 
PB CV v0.4
PB CV v0.4PB CV v0.4
PB CV v0.4
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
ASMC 2017 - Rudy Neefs - Van bedrijfspolitieman naar kritieke businesspartner
ASMC 2017 - Rudy Neefs - Van bedrijfspolitieman naar kritieke businesspartnerASMC 2017 - Rudy Neefs - Van bedrijfspolitieman naar kritieke businesspartner
ASMC 2017 - Rudy Neefs - Van bedrijfspolitieman naar kritieke businesspartner
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Discussion1Explaining the results of Efficient Frontier Analysis.docx
Discussion1Explaining the results of Efficient Frontier Analysis.docxDiscussion1Explaining the results of Efficient Frontier Analysis.docx
Discussion1Explaining the results of Efficient Frontier Analysis.docx
 
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTTHE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
 
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTTHE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
 
Corporate and Project Risk Management Toolkit
Corporate and Project Risk Management Toolkit Corporate and Project Risk Management Toolkit
Corporate and Project Risk Management Toolkit
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor upload
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chain
 
Applying Lean for information security operations centre
Applying Lean for information security operations centreApplying Lean for information security operations centre
Applying Lean for information security operations centre
 
Risk Management Toolkit
Risk Management ToolkitRisk Management Toolkit
Risk Management Toolkit
 
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren Li
 
Risk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_ArticulateRisk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_Articulate
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
 

Dernier

Club of Rome: Eco-nomics for an Ecological Civilization
Club of Rome: Eco-nomics for an Ecological CivilizationClub of Rome: Eco-nomics for an Ecological Civilization
Club of Rome: Eco-nomics for an Ecological CivilizationEnergy for One World
 
Angels_EDProgrammes & Services 2024.pptx
Angels_EDProgrammes & Services 2024.pptxAngels_EDProgrammes & Services 2024.pptx
Angels_EDProgrammes & Services 2024.pptxLizelle Coombs
 
Panet vs.Plastics - Earth Day 2024 - 22 APRIL
Panet vs.Plastics - Earth Day 2024 - 22 APRILPanet vs.Plastics - Earth Day 2024 - 22 APRIL
Panet vs.Plastics - Earth Day 2024 - 22 APRILChristina Parmionova
 
WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.Christina Parmionova
 
How to design healthy team dynamics to deliver successful digital projects.pptx
How to design healthy team dynamics to deliver successful digital projects.pptxHow to design healthy team dynamics to deliver successful digital projects.pptx
How to design healthy team dynamics to deliver successful digital projects.pptxTechSoupConnectLondo
 
call girls in Punjabi Bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Punjabi Bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Punjabi Bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Punjabi Bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.Christina Parmionova
 
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...yalehistoricalreview
 
In credit? Assessing where Universal Credit’s long rollout has left the benef...
In credit? Assessing where Universal Credit’s long rollout has left the benef...In credit? Assessing where Universal Credit’s long rollout has left the benef...
In credit? Assessing where Universal Credit’s long rollout has left the benef...ResolutionFoundation
 
call girls in moti bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in moti bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in moti bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in moti bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
Stop throwing your old clothes and start donating
Stop throwing your old clothes and start donatingStop throwing your old clothes and start donating
Stop throwing your old clothes and start donatingSERUDS INDIA
 
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...saminamagar
 
Professional Conduct and ethics lecture.pptx
Professional Conduct and ethics lecture.pptxProfessional Conduct and ethics lecture.pptx
Professional Conduct and ethics lecture.pptxjennysansano2
 
Call Girl Benson Town - Phone No 7001305949 For Ultimate Sexual Urges
Call Girl Benson Town - Phone No 7001305949 For Ultimate Sexual UrgesCall Girl Benson Town - Phone No 7001305949 For Ultimate Sexual Urges
Call Girl Benson Town - Phone No 7001305949 For Ultimate Sexual Urgesnarwatsonia7
 
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...narwatsonia7
 
Enhancing Indigenous Peoples' right to self-determination in the context of t...
Enhancing Indigenous Peoples' right to self-determination in the context of t...Enhancing Indigenous Peoples' right to self-determination in the context of t...
Enhancing Indigenous Peoples' right to self-determination in the context of t...Christina Parmionova
 
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...narwatsonia7
 
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesMadurai Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best Servicesnajka9823
 

Dernier (20)

Club of Rome: Eco-nomics for an Ecological Civilization
Club of Rome: Eco-nomics for an Ecological CivilizationClub of Rome: Eco-nomics for an Ecological Civilization
Club of Rome: Eco-nomics for an Ecological Civilization
 
Angels_EDProgrammes & Services 2024.pptx
Angels_EDProgrammes & Services 2024.pptxAngels_EDProgrammes & Services 2024.pptx
Angels_EDProgrammes & Services 2024.pptx
 
Panet vs.Plastics - Earth Day 2024 - 22 APRIL
Panet vs.Plastics - Earth Day 2024 - 22 APRILPanet vs.Plastics - Earth Day 2024 - 22 APRIL
Panet vs.Plastics - Earth Day 2024 - 22 APRIL
 
WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.
 
How to design healthy team dynamics to deliver successful digital projects.pptx
How to design healthy team dynamics to deliver successful digital projects.pptxHow to design healthy team dynamics to deliver successful digital projects.pptx
How to design healthy team dynamics to deliver successful digital projects.pptx
 
call girls in Punjabi Bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Punjabi Bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Punjabi Bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Punjabi Bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.
 
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
 
In credit? Assessing where Universal Credit’s long rollout has left the benef...
In credit? Assessing where Universal Credit’s long rollout has left the benef...In credit? Assessing where Universal Credit’s long rollout has left the benef...
In credit? Assessing where Universal Credit’s long rollout has left the benef...
 
call girls in moti bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in moti bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in moti bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in moti bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
Stop throwing your old clothes and start donating
Stop throwing your old clothes and start donatingStop throwing your old clothes and start donating
Stop throwing your old clothes and start donating
 
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
 
Professional Conduct and ethics lecture.pptx
Professional Conduct and ethics lecture.pptxProfessional Conduct and ethics lecture.pptx
Professional Conduct and ethics lecture.pptx
 
Call Girl Benson Town - Phone No 7001305949 For Ultimate Sexual Urges
Call Girl Benson Town - Phone No 7001305949 For Ultimate Sexual UrgesCall Girl Benson Town - Phone No 7001305949 For Ultimate Sexual Urges
Call Girl Benson Town - Phone No 7001305949 For Ultimate Sexual Urges
 
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
 
Enhancing Indigenous Peoples' right to self-determination in the context of t...
Enhancing Indigenous Peoples' right to self-determination in the context of t...Enhancing Indigenous Peoples' right to self-determination in the context of t...
Enhancing Indigenous Peoples' right to self-determination in the context of t...
 
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
 
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesMadurai Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best Services
 

RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS

  • 2. Developing a Risk Management Strategy with CAP As an information security professional, it is your role to take on the cybersecurity challenges in your organization. That is where a solid understanding of Risk Management comes in. Risk Management is a lot like a chess game. To succeed you need to understand the risks ahead and be able to plot future scenarios, to weigh up the relative impacts and then plan accordingly. The Certified Authorization Professional (CAP) certification attests to professionals’ expertise in risk assessment and security authorization. Learn More about (ISC)2 ’s CAP Certification and Training Options. 2
  • 3. Risk management is the process of identifying, assessing and controlling threats to an organization’s capital and earnings. In many ways, risk management is very similar to a chess game. Of course, the main difference is that chess is only a game, with predefined rules, but the strategies are easily transferrable to how risk management works. Think of a chess board. It is a deceptively simple, predefined field of 64 squares. In a risk management scenario, the operational field is also predefined for the industry in which the risk register is quantified. Careful risk planning is about anticipating risks to a specific industry, rather than flights of fancy. This is why it is important to have a qualified professional who is well-versed in various risk frameworks on your team. 3 What is Risk Management?
  • 4. Benefits of Risk Management The opening moves of a chess game can have a lasting impact throughout the entire contest. The most amazing part of the game is that no pieces are hidden from view. How could such an obvious layout of pieces, all with set rules for their movement, have seemingly infinite outcomes? This is due to the robustness of strategy offered through the careful orchestration of all the pieces working together. A robust risk management strategy has many benefits, and must also function in a prudently managed mode. Some ways that a sound risk management strategy can work to protect a company include: • Protecting its future by considering the risks or events before they occur • Helping a company establish procedures: – To avoid potential threats – Minimize their impact should they occur and – Cope with the results • Creating a safe and secure environment for all employees and customers 4
  • 5. 5 How Frameworks Help Manage Risk Sometimes, constraints can be crippling. A beginner in chess will often wonder why a piece can only move a certain way. This presents often frustrating predicaments. Yet, as one progresses and becomes more accustomed to the movements, patterns emerge that can be liberating. What was once an empty framework becomes an empty canvas with multiple possibilities. A framework acts as a skeleton, and can give the total enterprise risk management strategy a proper guideline with steps to follow. They are used to: • Assess the state of the overall security program • Build a comprehensive security program • Measure maturity and conduct industry comparisons • Simplify communications with business leaders
  • 6. There are 7 important principles in chess that can help guide your approach to implementing a successful risk management framework. 1. Develop all your pieces 2. Create a favorable structure 3. Restrict your opponent’s pieces 4. Neutralize your opponent’s plan 5. Accumulate small advantages 6. Convert temporary advantages into permanent ones 7. Don’t take unnecessary chances Start by choosing the most appropriate frameworks for your organization and build resilience over time using these same principles. The Most Important Principles 6
  • 7. 7 The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) provides a flexible, holistic and repeatable 7-step process to manage security and privacy risk: 1. Prepare for risk management through essential activities critical to design and implementation of a risk management program 2. Categorize Information Systems 3. Select Security Controls 4. Implement Security Controls 5. Assess Security Controls 6. Authorize Information Systems 7. Continuously Monitor Security Controls NIST Risk Management Framework The Legendary Move NIST RMF RISK MANAGEMENT FRAMEWORK nist.gov/rmf CATEGORIZE S E L E C T I M P L E M E N T A S S E S S A U T H O R I Z E M O N I T O R P REPARE
  • 8. 8 ISO 27001 “Information technology — Security techniques — Information security management systems — Requirements” is a framework that helps organizations “establish, implement, operate, monitor, review, maintain and continually improve an ISMS” . The basic goal of ISO 27001 is to protect the confidentiality, integrity and availability of information. There are 5 steps for an effective ISO 27001 risk assessment: 1. Establish a risk management framework 2. Identify risks 3. Analyze risks 4. Evaluate risks 5. Select risk treatment options ISO 27001 The Thunderbolt Gambit ISO 27001 MANAGEMENT SYSTEM CLAUSES Scope, normative references and terms and definitions. Internal and external issues that may be relevant to the business and to the achievement of the objectives of the ISMS. Includes confirming interested parties and scope. How top management will support the ISMS by creating roles and measures to implement and monitor it. Includes developing an information security policy aligned to business objectives. How the organization creates actions to address risks. Includes setting information security objectives. Securing the right resources, the right people and the right infrastructure to manage and maintain the ISMS. How the plans and processes will be executed, including documentation that needs to be produced. How the organization will monitor, measure, analyze and evaluate the ISMS. Corrective action and continual improvement requirements. 1 2 3 4 5 6 7 8 9 10 CONTEXT CONTEXT 4 4 7 SUPPO RT LEADERSHIP 5 ASSESS RISKS ASSESS RISKS 6 & 8 6 & 8 6 PLANNING 1 0 I M P R O V E 8 O P E R A T I O N 9 PERFORMANCE EVALUATION
  • 9. 9 ISO 31000 is an international standard for risk management that provides a set of principles, a risk management framework and a risk management process, which helps organizations take a proactive approach to risks they face. The ISO 31000 standard has 8 principles: 1. Integrated into all business operations and activities 2. Structured and comprehensive 3. Tailored to the organization’s goals and business environment 4. Inclusive and involving all responsible stakeholders 5. Robust and dynamic, adapting to the evolving risk landscape 6. Limitations of available information should be considered 7. Human and cultural factors should be considered 8. The risk management framework is continuously improved through lessons learnt, feedback, and experience ISO 31000 The Stunner Switch VALUE CREATION AND PROTECTION C O N T I N U A L I M P R O V E M E N T HUMAN AND CULTURAL FACTORS BEST AVAILABLE INFORMATION I N T E G R A T E D STRUCTURED AND COMPREHENSIVE CUSTOMIZED I N C L U S I V E D Y N A M I C
  • 10. 10 COBIT is an IT management framework developed by ISACA to help businesses develop, organize and implement strategies around information management and governance. The framework includes 40 objectives and focuses specifically on: • Security • Risk Management • Information Governance Control Objectives for Information Technologies (COBIT) The King’s Counter 1. WHAT ARE THE DRIVERS? 2 . W H E R E A R E W E N O W ? 6 . D I D W E G E T T H E R E ? THE M OMENTUM GOING? 7. HOW DO WE KEEP INITIATE PROGRAM R E A L I Z E B E N E F I T S EFFECTIVENESS O P P O R T U N I T I E S REVIEW D E F I N E P R O B L E M S A N D I M P L E M E N T A T I O N SUSTAIN F O R M T E A M ESTABLISH DESIRE E M B E D N E W TO CHANGE A P P R O A C H E S R E C O G N I Z E N E E D T O A C T ASSESS CURRENT STATE BUILD IMPROVEMENTS DEFIN E TARGET STATE IM PLEM ENT IM PRO VEM ENTS OPERATE AND MEASURE M O N I T O R A N D E V A L U A T E 5 . H O W D O W E G E T THERE? 4. WHAT NEEDS TO BE DONE? 3. W HERE D O W E W A N T T O B E ? E X E C U T E P LAN PLAN PROGRAM DEFIN E R O A D M A P O P E R A T E A N D USE IDENTIFY ROLE CO M M U N I C A T E PLAYERS O U T C O M E •PROGRAM MANAGEMENT (outer ring) •CHANGE ENABLEMENT (middle ring) •CONTINUAL IMPROVEMENT LIFE CYCLE (inner ring)
  • 11. The Amazing Endgame Chess is not an easy game to master. However, the correct understanding of the nuances can make all the difference in one’s enjoyment of such a challenging endeavour. Similarly, a solid risk management approach is based on many of the same principles that make any disciplined undertaking valuable. The difference is that, with risk management, the stakes are higher, as the protection of the organization is the goal. Understanding, selecting and applying the right framework falls within the responsibilities of a CAP. CAP professionals possess the knowledge to: • Understand the foundations • Define the scope • Select and approve security and privacy controls • Implement the selected security and privacy controls • Assess the applicability and effectiveness of established security and privacy controls • Authorize an Information System. • Establish continuous monitoring to adapt to the changing risk environment The Role of a Certified Authorization Professional (CAP) 11
  • 12. 12 The CAP certification shows employers you have the advanced technical skills and knowledge to understand Governance, Risk and Compliance (GRC) and can authorize and maintain information systems utilizing various risk management frameworks, as well as best practices, policies and procedures. The CAP is ideal for IT, information security and information assurance practitioners who work in GRC roles and have a need to understand, apply and/or implement a risk management program for IT systems within an organization. Work in government? See how the CAP meets the U.S. Department of Defense (DoD) Directive 8570.1. Explore our (ISC)2 Official CAP training options: online instructor-led, or self-study tools. Learn More about CAP: Cybersecurity’s Specialized Risk Management Security Certification
  • 13. 13 Want More Insights? Read Our Latest CAP Resources: Your Guide to Mitigating Evolving Risk Get the Guide Advance Your Information Security Career Strategy Read the eBook For more guidance, contact your local office: Looking to train your team? Get Team Consult Americas +1.866.331.4722 ext. 2 training@isc2.org EMEA +44-203-960-7800 info-emea@isc2.org Asia-Pacific +852-2850 6951 isc2asia@isc2.org