Vijay Mohire presented information on his planned contributions to Microsoft's ACE (Assessment, Consulting & Engineering) team. He outlined how he would assist with risk assessments, compliance checks, security consultations, engineering tasks, and program management. The presentation also provided an overview of Microsoft's information security practices, including its security stack, tools like Azure and Active Directory, and adherence to standards like NIST and PCI DSS.
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
Risk analysis and management is important for Digital Zone Corporation to secure their systems and customer information. They collect personal information from customers and need to identify vulnerabilities, threats, and risks. The analysis includes evaluating assets, finding vulnerabilities, conducting a risk assessment, and establishing security policies. It also provides recommendations for managing risks, such as creating an information risk management policy, security awareness training, and contingency plans. Regular risk analysis helps Digital Zone Corporation improve security and maintain customer trust.
Disaster recovery & business continuityDhani Ahmad
This document discusses contingency planning for disasters and business continuity. It defines incident response planning, disaster recovery planning, and business continuity planning as the three main components of contingency planning. It provides learning objectives and outlines the major steps in contingency planning, including conducting a business impact analysis, developing an incident response plan, and creating disaster recovery and business continuity plans.
The document outlines a 9 step process for managing an enterprise cybersecurity program that includes assessing risks, identifying security scopes, evaluating security capabilities and operations, setting target security levels, identifying deficiencies, prioritizing improvements, resourcing and executing improvements, collecting operational metrics, and repeating the process on an ongoing cycle. It provides details on each step and how to assess risks, identify improvement areas, and prioritize remediation efforts to strengthen the overall cybersecurity posture. The goal is to use this iterative process to make progressive improvements to the enterprise's cybersecurity over time.
Review of Enterprise Security Risk ManagementRand W. Hirt
The document discusses enterprise security risk management and provides details on the risk assessment process. It defines risk as the likelihood of an adverse event occurring multiplied by the impact. Risk management aims to identify and mitigate risks to acceptable levels. The risk assessment process involves determining scope, gathering information, assessing risks, recommending controls, and determining residual risk. Controls can reduce risk through preventative, detective or corrective measures. Ongoing monitoring ensures the organization's risk posture remains consistent over time.
Mastering Information Technology Risk ManagementGoutama Bachtiar
This is the presentation slide as part of the courseware utilized when delivering Information Technology Risk Management training - workshop on May 2013.
Microsoft established its risk management group (RMG) in 1997 within the treasury department to develop a comprehensive approach to risk identification, measurement, and management across the enterprise. The RMG worked to bring non-financial risk management practices in line with the more mature financial risk management processes. Microsoft developed internal risk measurement systems and consulted third parties to ensure all risks were captured. The company encouraged a culture of transparency around risk through accessible internal reporting and education for all employees.
Risk Based Security and Self Protection Powerpointrandalje86
Miguel Sanchez presented on risk based security and self protection technologies. He discussed how the threat landscape has changed and the need for a proactive, risk based approach. This involves a multi-tiered risk management process including framing risks at the organizational, mission, and system levels. Emerging technologies like runtime application self protection can help applications protect themselves by monitoring for threats during execution.
Risk Management Strategy is an approach to dealing with global risks focused to anticipate the events, designing and implementing procedures to minimize the occurrence of the event or its impact if it occurs.
In era of globalization and interconnected world the task to protect the company from global risks became complicated. Any kind of internally or externally risk can cause distortion to its usual business activities. The source of potential risk can be human being, technology failure, sabotage or Mother Nature. All the risks must be considered individually since they overlap to a large degree. Then our Global Risk Management consulting focuses on: terrorism, internal sabotage, external espionage, technology failure.
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
Risk analysis and management is important for Digital Zone Corporation to secure their systems and customer information. They collect personal information from customers and need to identify vulnerabilities, threats, and risks. The analysis includes evaluating assets, finding vulnerabilities, conducting a risk assessment, and establishing security policies. It also provides recommendations for managing risks, such as creating an information risk management policy, security awareness training, and contingency plans. Regular risk analysis helps Digital Zone Corporation improve security and maintain customer trust.
Disaster recovery & business continuityDhani Ahmad
This document discusses contingency planning for disasters and business continuity. It defines incident response planning, disaster recovery planning, and business continuity planning as the three main components of contingency planning. It provides learning objectives and outlines the major steps in contingency planning, including conducting a business impact analysis, developing an incident response plan, and creating disaster recovery and business continuity plans.
The document outlines a 9 step process for managing an enterprise cybersecurity program that includes assessing risks, identifying security scopes, evaluating security capabilities and operations, setting target security levels, identifying deficiencies, prioritizing improvements, resourcing and executing improvements, collecting operational metrics, and repeating the process on an ongoing cycle. It provides details on each step and how to assess risks, identify improvement areas, and prioritize remediation efforts to strengthen the overall cybersecurity posture. The goal is to use this iterative process to make progressive improvements to the enterprise's cybersecurity over time.
Review of Enterprise Security Risk ManagementRand W. Hirt
The document discusses enterprise security risk management and provides details on the risk assessment process. It defines risk as the likelihood of an adverse event occurring multiplied by the impact. Risk management aims to identify and mitigate risks to acceptable levels. The risk assessment process involves determining scope, gathering information, assessing risks, recommending controls, and determining residual risk. Controls can reduce risk through preventative, detective or corrective measures. Ongoing monitoring ensures the organization's risk posture remains consistent over time.
Mastering Information Technology Risk ManagementGoutama Bachtiar
This is the presentation slide as part of the courseware utilized when delivering Information Technology Risk Management training - workshop on May 2013.
Microsoft established its risk management group (RMG) in 1997 within the treasury department to develop a comprehensive approach to risk identification, measurement, and management across the enterprise. The RMG worked to bring non-financial risk management practices in line with the more mature financial risk management processes. Microsoft developed internal risk measurement systems and consulted third parties to ensure all risks were captured. The company encouraged a culture of transparency around risk through accessible internal reporting and education for all employees.
Risk Based Security and Self Protection Powerpointrandalje86
Miguel Sanchez presented on risk based security and self protection technologies. He discussed how the threat landscape has changed and the need for a proactive, risk based approach. This involves a multi-tiered risk management process including framing risks at the organizational, mission, and system levels. Emerging technologies like runtime application self protection can help applications protect themselves by monitoring for threats during execution.
Risk Management Strategy is an approach to dealing with global risks focused to anticipate the events, designing and implementing procedures to minimize the occurrence of the event or its impact if it occurs.
In era of globalization and interconnected world the task to protect the company from global risks became complicated. Any kind of internally or externally risk can cause distortion to its usual business activities. The source of potential risk can be human being, technology failure, sabotage or Mother Nature. All the risks must be considered individually since they overlap to a large degree. Then our Global Risk Management consulting focuses on: terrorism, internal sabotage, external espionage, technology failure.
This document outlines a risk assessment methodology for organizations. It discusses how risk assessments are often not implemented formally or do not provide practical advice. The presented method uses foundation documents, risk evaluation criteria, and a multi-round review process called the Delphic Technique to provide a standardized risk assessment. It recommends developing reusable templates, defining assessment scope and objectives, using the methodology to identify and evaluate risks, and creating formal treatment plans. Time is included as a variable to show changing risks over time. The goal is for assessments to identify practical risk reduction options.
Risk management is the process of analyzing exposure to risk and determining how to best handle such exposure.
Issues important to top management typically receive lot of attention from many quarters. Since top management cares about risk management, a number of popular IT risk-management frameworks have emerged.
This document provides an overview of security risk management. It discusses reactive versus proactive approaches, and quantitative versus qualitative risk prioritization. The key steps of the security risk management process include assessing risks, conducting decision support, implementing controls, and measuring effectiveness. When assessing risks, organizations should plan the assessment, gather data through facilitated discussions, and prioritize risks. Both quantitative and qualitative approaches have benefits and drawbacks.
Mrs Bianca Pasipanodya, the Group ICT executive for First Mutual Group an esteemed speaker at the ISACA Harare Chapter, gives her remarks about the implementation of an effective Information Security Management System” in Zimbabwe.
The document outlines the risk assessment process recommended by NIST, which includes 9 steps: 1) system characterization, 2) threat identification, 3) vulnerability identification, 4) control analysis, 5) likelihood determination, 6) impact analysis, 7) risk determination, 8) control recommendations, and 9) results documentation. The goal is to identify risks, determine their likelihood and impact, and recommend controls to mitigate risks to protect the organization's mission.
The document defines key risk management terminology such as risk register, risk, risk management, risk appetite, risk owner, risk matrix, and risk vulnerability. It also outlines the risk management process recommended by PRINCE2 and lists common risk categories and responses to risks. Finally, it provides guidance on developing an ICT risk register, including understanding objectives, identifying risks, documenting the risk register, and getting approval.
This document outlines a 5-step process for managing organizational ICT security:
1. Identify the organization's business objectives to ensure ICT resources support them.
2. Identify all ICT resources, including network infrastructure, servers, user devices, and hardware.
3. Identify and assess risks to ICT resources, such as theft, damage, and unauthorized access, and prioritize them based on likelihood and cost.
4. Develop activities to mitigate risks through a 7-layered approach involving policies, physical security, perimeter controls, internal access management, host protection, and application hardening.
5. Implement and monitor the security program with roles for the CIO, CISO, ICT
This document discusses information technology risks in banking, specifically related to internet banking. It outlines two models of internet banking - established banks providing online services and internet-only banks. While regulatory expectations are the same, internet-only banks face unique risks like high marketing costs and low margins. The document also discusses various types of IT risks including financial, operational, and compliance risks. It provides examples of risks from hacking, viruses, and unauthorized access and their potential impacts. Finally, it outlines different supervisory approaches to assessing IT risks.
This document discusses risk management and outlines the FAIR approach to risk assessment. It describes identifying risks, evaluating frequency and magnitude of losses, and deriving risk. Five strategies for controlling risks are discussed: defend, transfer, mitigate, accept, and terminate. Metrics and best practices for risk management are also presented.
Risk Based Security Management (RBSM) is defined as applying rigorous analytical techniques to evaluate risks impacting an organization's information assets and infrastructure. RBSM involves identifying important assets and risks, collecting relevant data, performing risk assessments to analyze probabilities and impacts, presenting results to the organization, identifying control objectives to minimize risks, selecting and implementing controls, monitoring controls, and repeating the process as the environment changes. Glintt's RBSM managed services approach creates an environment for informed choices by analyzing threat frequencies and vulnerabilities cyclically with feedback to continuously learn and challenge assumptions.
The document discusses vulnerability analysis and management. It defines vulnerability and describes individual, facility, and community vulnerability. It emphasizes the importance of vulnerability assessment, which involves identifying, quantifying, and prioritizing vulnerabilities in systems. The key aspects of vulnerability management are identified as identification and learning about vulnerabilities, mitigation, and monitoring. An optimal vulnerability management methodology is described using the Improved Vulnerability Assessment Framework, which is a three-step process of defining minimum essential infrastructure, identifying vulnerabilities, and prioritizing vulnerabilities for remediation.
This document discusses risk assessments and managing third-party risk. It provides an overview of Optiv, a security consulting firm, and their services including risk management, security operations, and security technology. It then covers topics like the evolution of the CISO role, enterprise risk management, assessing assets, threats, vulnerabilities, and controls. The document provides methods for evaluating risk like the risk equation and risk register. It also discusses managing risk from third parties and cloud providers through due diligence and risk tiers based on the relationship and inherent risks.
This document provides guidance on making the right technology investment decisions by balancing risk and debt. It discusses calculating your existing technology debt, questions to ask suppliers, and how to make technology decisions. Key aspects covered include understanding when decisions to delay upgrades incur debt, assessing the "interest rate" of that debt, and classifying risk based on a technology's readiness level. The document emphasizes that technology decisions ultimately depend on building trust with suppliers.
This document provides an overview of information security risk management. It defines risk management as identifying risks, their owners, probability, impact, suitable mitigations, and contingency plans. The objectives of information security risk management are ensuring risks to confidentiality, integrity, availability, and traceability of information are effectively managed. Common problems with risk management include poor risk descriptions, ineffective mitigation actions, and a reactive rather than proactive approach. The document outlines identifying risks from sources like cloud computing and third parties, recording risks in a risk register, assigning owners, and monitoring mitigation progress.
This document discusses risk management in information technology. It begins with introductions and an agenda. It then covers IT management basics like strategy, operations, and project management. It defines IT risks as the possibility that IT will not be able to deliver required capabilities. It discusses identifying, analyzing, planning for, tracking, controlling, and communicating risks. It provides an example of managing application support risks and a case study on a project to improve service excellence at an organization.
This document discusses risk management in the software industry. It outlines the importance of risk management, including its role in frameworks like CMMI, ISO 20000, TL 9000, and ITIL. It then describes the typical risk management process, which involves defining a risk management strategy, identifying and analyzing risks, and handling risks through mitigation plans. Finally, it lists common activities in risk management, such as identifying risk sources and categories, evaluating risks, developing mitigation plans, and implementing those plans through risk monitoring.
The document discusses designing next-generation threat identification solutions. It summarizes traditional threat modeling approaches and identifies challenges, such as incomplete threat coverage, inability to follow processes rigorously, and lack of suitability for new development scenarios. It proposes key elements for new solutions, including making the business the driver, empowering developers, using continuous and customizable processes, and taking a collaborative approach. The goals are to address resource constraints, conduct analysis throughout product lifecycles, and standardize flexible processes for different teams and products.
Introduction to Risk Management FundamentalsToño Herrera
This document provides an overview of risk management concepts including definitions of risk management, risk, the risk management process, risk identification, estimation, evaluation, treatment, and residual risk. It discusses qualitative and quantitative approaches to risk estimation and outlines the risk management process as establishing context, risk identification, analysis, evaluation, and treatment. It also defines risk appetite and tolerance.
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
Risk analysis and management helps organizations improve security and protect sensitive information. The document outlines steps taken to analyze risks at Digital Zone Corporation, an IT services company. It identifies assets, threats, vulnerabilities, and recommends security policies, employee training, and contingency plans to reduce risks like data breaches or system failures. Assessment tools evaluated networks and hosts, finding vulnerabilities to inform countermeasures that lower overall organizational risk.
The document provides an overview of the CISSP certification course. It outlines the 8 domains that will be covered in the CISSP certification exam: Security and Risk Management, Asset Security, Security Engineering, Communications and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. It also provides details about the exam such as the number of questions, time limit, and materials allowed.
This document outlines a risk assessment methodology for organizations. It discusses how risk assessments are often not implemented formally or do not provide practical advice. The presented method uses foundation documents, risk evaluation criteria, and a multi-round review process called the Delphic Technique to provide a standardized risk assessment. It recommends developing reusable templates, defining assessment scope and objectives, using the methodology to identify and evaluate risks, and creating formal treatment plans. Time is included as a variable to show changing risks over time. The goal is for assessments to identify practical risk reduction options.
Risk management is the process of analyzing exposure to risk and determining how to best handle such exposure.
Issues important to top management typically receive lot of attention from many quarters. Since top management cares about risk management, a number of popular IT risk-management frameworks have emerged.
This document provides an overview of security risk management. It discusses reactive versus proactive approaches, and quantitative versus qualitative risk prioritization. The key steps of the security risk management process include assessing risks, conducting decision support, implementing controls, and measuring effectiveness. When assessing risks, organizations should plan the assessment, gather data through facilitated discussions, and prioritize risks. Both quantitative and qualitative approaches have benefits and drawbacks.
Mrs Bianca Pasipanodya, the Group ICT executive for First Mutual Group an esteemed speaker at the ISACA Harare Chapter, gives her remarks about the implementation of an effective Information Security Management System” in Zimbabwe.
The document outlines the risk assessment process recommended by NIST, which includes 9 steps: 1) system characterization, 2) threat identification, 3) vulnerability identification, 4) control analysis, 5) likelihood determination, 6) impact analysis, 7) risk determination, 8) control recommendations, and 9) results documentation. The goal is to identify risks, determine their likelihood and impact, and recommend controls to mitigate risks to protect the organization's mission.
The document defines key risk management terminology such as risk register, risk, risk management, risk appetite, risk owner, risk matrix, and risk vulnerability. It also outlines the risk management process recommended by PRINCE2 and lists common risk categories and responses to risks. Finally, it provides guidance on developing an ICT risk register, including understanding objectives, identifying risks, documenting the risk register, and getting approval.
This document outlines a 5-step process for managing organizational ICT security:
1. Identify the organization's business objectives to ensure ICT resources support them.
2. Identify all ICT resources, including network infrastructure, servers, user devices, and hardware.
3. Identify and assess risks to ICT resources, such as theft, damage, and unauthorized access, and prioritize them based on likelihood and cost.
4. Develop activities to mitigate risks through a 7-layered approach involving policies, physical security, perimeter controls, internal access management, host protection, and application hardening.
5. Implement and monitor the security program with roles for the CIO, CISO, ICT
This document discusses information technology risks in banking, specifically related to internet banking. It outlines two models of internet banking - established banks providing online services and internet-only banks. While regulatory expectations are the same, internet-only banks face unique risks like high marketing costs and low margins. The document also discusses various types of IT risks including financial, operational, and compliance risks. It provides examples of risks from hacking, viruses, and unauthorized access and their potential impacts. Finally, it outlines different supervisory approaches to assessing IT risks.
This document discusses risk management and outlines the FAIR approach to risk assessment. It describes identifying risks, evaluating frequency and magnitude of losses, and deriving risk. Five strategies for controlling risks are discussed: defend, transfer, mitigate, accept, and terminate. Metrics and best practices for risk management are also presented.
Risk Based Security Management (RBSM) is defined as applying rigorous analytical techniques to evaluate risks impacting an organization's information assets and infrastructure. RBSM involves identifying important assets and risks, collecting relevant data, performing risk assessments to analyze probabilities and impacts, presenting results to the organization, identifying control objectives to minimize risks, selecting and implementing controls, monitoring controls, and repeating the process as the environment changes. Glintt's RBSM managed services approach creates an environment for informed choices by analyzing threat frequencies and vulnerabilities cyclically with feedback to continuously learn and challenge assumptions.
The document discusses vulnerability analysis and management. It defines vulnerability and describes individual, facility, and community vulnerability. It emphasizes the importance of vulnerability assessment, which involves identifying, quantifying, and prioritizing vulnerabilities in systems. The key aspects of vulnerability management are identified as identification and learning about vulnerabilities, mitigation, and monitoring. An optimal vulnerability management methodology is described using the Improved Vulnerability Assessment Framework, which is a three-step process of defining minimum essential infrastructure, identifying vulnerabilities, and prioritizing vulnerabilities for remediation.
This document discusses risk assessments and managing third-party risk. It provides an overview of Optiv, a security consulting firm, and their services including risk management, security operations, and security technology. It then covers topics like the evolution of the CISO role, enterprise risk management, assessing assets, threats, vulnerabilities, and controls. The document provides methods for evaluating risk like the risk equation and risk register. It also discusses managing risk from third parties and cloud providers through due diligence and risk tiers based on the relationship and inherent risks.
This document provides guidance on making the right technology investment decisions by balancing risk and debt. It discusses calculating your existing technology debt, questions to ask suppliers, and how to make technology decisions. Key aspects covered include understanding when decisions to delay upgrades incur debt, assessing the "interest rate" of that debt, and classifying risk based on a technology's readiness level. The document emphasizes that technology decisions ultimately depend on building trust with suppliers.
This document provides an overview of information security risk management. It defines risk management as identifying risks, their owners, probability, impact, suitable mitigations, and contingency plans. The objectives of information security risk management are ensuring risks to confidentiality, integrity, availability, and traceability of information are effectively managed. Common problems with risk management include poor risk descriptions, ineffective mitigation actions, and a reactive rather than proactive approach. The document outlines identifying risks from sources like cloud computing and third parties, recording risks in a risk register, assigning owners, and monitoring mitigation progress.
This document discusses risk management in information technology. It begins with introductions and an agenda. It then covers IT management basics like strategy, operations, and project management. It defines IT risks as the possibility that IT will not be able to deliver required capabilities. It discusses identifying, analyzing, planning for, tracking, controlling, and communicating risks. It provides an example of managing application support risks and a case study on a project to improve service excellence at an organization.
This document discusses risk management in the software industry. It outlines the importance of risk management, including its role in frameworks like CMMI, ISO 20000, TL 9000, and ITIL. It then describes the typical risk management process, which involves defining a risk management strategy, identifying and analyzing risks, and handling risks through mitigation plans. Finally, it lists common activities in risk management, such as identifying risk sources and categories, evaluating risks, developing mitigation plans, and implementing those plans through risk monitoring.
The document discusses designing next-generation threat identification solutions. It summarizes traditional threat modeling approaches and identifies challenges, such as incomplete threat coverage, inability to follow processes rigorously, and lack of suitability for new development scenarios. It proposes key elements for new solutions, including making the business the driver, empowering developers, using continuous and customizable processes, and taking a collaborative approach. The goals are to address resource constraints, conduct analysis throughout product lifecycles, and standardize flexible processes for different teams and products.
Introduction to Risk Management FundamentalsToño Herrera
This document provides an overview of risk management concepts including definitions of risk management, risk, the risk management process, risk identification, estimation, evaluation, treatment, and residual risk. It discusses qualitative and quantitative approaches to risk estimation and outlines the risk management process as establishing context, risk identification, analysis, evaluation, and treatment. It also defines risk appetite and tolerance.
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
Risk analysis and management helps organizations improve security and protect sensitive information. The document outlines steps taken to analyze risks at Digital Zone Corporation, an IT services company. It identifies assets, threats, vulnerabilities, and recommends security policies, employee training, and contingency plans to reduce risks like data breaches or system failures. Assessment tools evaluated networks and hosts, finding vulnerabilities to inform countermeasures that lower overall organizational risk.
The document provides an overview of the CISSP certification course. It outlines the 8 domains that will be covered in the CISSP certification exam: Security and Risk Management, Asset Security, Security Engineering, Communications and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. It also provides details about the exam such as the number of questions, time limit, and materials allowed.
This document discusses risk management in project management. It explains that risk identification, probability assessment, and impact estimation are important activities for risk analysis. Risks can be proactively or reactively managed. Proactive management involves formal risk analysis and addressing root causes, while reactive management involves responding to risks as they occur. Key aspects of risk management include identifying risks, analyzing their probability and impact, developing a risk table to plan mitigation strategies, and continuously monitoring and managing risks throughout the project lifecycle.
The document defines risk and issue, outlines the risk lifecycle and management cycle, and provides details on risk identification, analysis, assessment, and management. Key points include:
- A risk is a potential future event that could negatively impact objectives, while an issue is a current problem.
- The risk management cycle includes identifying risks, assessing them, selecting strategies, implementing controls, and monitoring/evaluating.
- Risk identification involves knowing the organization's assets and sources of risk. Risk analysis assesses the likelihood and impact of risks.
MCGlobalTech presentation to manufacturing sector executives on managing cybersecurity risks by implementing an enterprise information security management program.
The document discusses security solutions and services offered by Connection to help organizations address increasing cyber threats. It describes Connection's approach of assessing vulnerabilities, developing risk management strategies, and implementing unified security stacks and managed security services to continuously protect, detect, and react to threats. Connection's experts can help organizations understand and prioritize security risks, implement appropriate solutions, and manage security programs on an ongoing basis.
This document provides an overview of ISO 27005, which provides guidelines for information security risk management. It discusses establishing the context for risk management, assessing risks, treating risks, and monitoring the risk management process on an ongoing basis. Key activities covered include risk identification, analysis, evaluation, and acceptance criteria. Qualitative and quantitative risk analysis methodologies are described. The goal is to take a systematic approach to identify security needs and risks in order to create an effective information security management system.
Risk Identification is the process of determining risks that could affect a project. Participants include the project manager, team, risk management team, subject matter experts, customers, end users, and other stakeholders. Risks are identified through iterative processes as the project progresses. Inputs include the project scope statement, risk management plan, and project management plan. Tools used include documentation reviews, brainstorming, checklists, and diagrams. The output is a risk register listing identified risks, potential responses, and risk categories.
The CRISC certification validates experience in building a well-defined, agile risk management program based on best practices to identify, analyze, evaluate, assess, prioritize and respond to risks. The certification focuses on four domains: governance (26%), IT risk assessment (20%), risk response and reporting (32%), and information technology and security (22%). Maintaining the CRISC certification demonstrates skills and knowledge in using governance best practices and continuous risk monitoring and reporting to enhance business resilience and stakeholder value.
This lecture provides short and comprehensive view of software project and risk management. It has basic examples and calculations which is main concern of software project manager. This lecture helps to understand basics of risk management.
This document discusses principles of risk management from a textbook on information security. It describes approaches for identifying risks, assessing their likelihood and impact, and selecting risk mitigation strategies. Key strategies discussed include risk defense, transfer, mitigation, acceptance, and termination. The document also covers how to justify controls using a cost-benefit analysis and benchmarks for best practices.
This document discusses project risk management for an IT project management course. It defines risk management and identifies key risk management processes: planning, identification, analysis, response planning, and monitoring/control. Various risk analysis techniques are described like probability/impact matrices and decision trees. The goal of risk management is to minimize negative risks while maximizing positive opportunities through risk avoidance, acceptance, transference, or mitigation strategies.
Kumar Bishwakarma gave a presentation on the basics of risk management. He discussed (1) reactive and proactive risk handling strategies, with reactive focusing on problems after they occur and proactive identifying risks in advance. He also covered (2) software risks like project, technical, business, known, predictable and unpredictable risks. Finally, he explained the process of (3) risk identification, projection, assessment, refinement, and developing a risk management, mitigation, monitoring and management plan to address risks throughout a project.
Webinar - Building Team Efficiency and EffectivenessInvensis Learning
Wouldn’t it be great if you could get to better ideas faster? If you learn to master just two thinking skills, you can! Many of the PMI supported tools have origins in creativity. As such, these tools are best leveraged when you apply divergent thinking (to generate) or convergent thinking (to narrow). This session will explore the principles of divergent and convergent thinking and provide examples of techniques to maximize their power in decision making, problem solving and performance feedback.
Connection's Security Practice offers solutions and services to counteract increased cybersecurity risks. They take a comprehensive approach focusing on protection, detection and reaction. Their experts assess vulnerabilities, develop prioritized remediation plans, and implement the right security solutions. They also provide managed security services for ongoing monitoring and risk management.
Connection's Security Practice offers solutions and services to help organizations address increasing cybersecurity threats and risks. They take a comprehensive approach focusing on protecting systems, detecting security issues, and reacting quickly to potential breaches. Their services include security assessments, risk analysis, implementation of security solutions, and ongoing managed security services to help organizations manage threats continuously. They take a unified approach considering people, processes, technology, and the overall security lifecycle to help organizations define and manage security risks.
This document provides an introduction to information systems risk management. It defines key risk management terms like risk, threat, vulnerability, likelihood, and impact. It explains the processes of risk assessment, including qualitative and quantitative approaches. It also outlines strategies for managing risks, including mitigation, transference, acceptance, and avoidance. Effective communication of risks and implementation of risk management strategies through a Plan of Action & Milestones is discussed as important aspects of the overall risk management process.
This document provides an overview of project risk management. It defines risk as the possibility of suffering loss and discusses how risk changes throughout a project's life. Key aspects of risk management are identified, including risk identification, assessment, response planning, monitoring and control. Various risk management techniques are described, such as risk maps, hazard control matrices, and defining risk ownership. The document emphasizes that effective risk management can help improve project success.
The presentation about Project Risk Management conducted by Mr. Mohamad Boukhari for the project management community in Lebanon during PMI Lebanon Chapter monthly lecture.
Similaire à Microsoft InfoSec for cloud and mobile (20)
NexGen Solutions for cloud platforms, powered by GenQAIVijayananda Mohire
This is our next generation solutions powered by emerging technologies like AI, quantum computing, Blockchain, quantum cryptography etc. We have various offers that can help improved productivity, help automate and improve ease of doing business. We offer cloud based solutions and have a Hub to interface major cloud platforms.
This is our project work at our startup for Data Science. This is part of our internal training and focused on data management for AI, ML and Generative AI apps
This is our contributions to the Data Science projects, as developed in our startup. These are part of partner trainings and in-house design and development and testing of the course material and concepts in Data Science and Engineering. It covers Data ingestion, data wrangling, feature engineering, data analysis, data storage, data extraction, querying data, formatting and visualizing data for various dashboards.Data is prepared for accurate ML model predictions and Generative AI apps
Considering the need and demand for high quality digital platforms that can help clients to get the most of the newer technology, we have proposed an IT Hub that allows for rapid on boarding of clients to various modules on a need basis, allowing them to subscribe to modules they need only. We have various modules.
This document offers a high level overview of our IT Hub that offers various modules allowing for clients to onboard faster and get the benefits of a large set of vendor products, tools, IDE related to AI, Quantum and Generative AI technologies.
This is my hands-on projects in quantum technologies. These are few of the key projects that I worked with that demonstrates my skills in using various concepts, tools, IDE and deriving the solutions by using quantum principles like superposition, and entanglement along with quantum circuits in realizing the concepts
Azure Quantum Workspace for developing Q# based quantum circuitsVijayananda Mohire
This document provides steps to develop quantum circuits using Q# on Azure Quantum. It instructs the user to create an Azure subscription, log into the Azure portal, create a Quantum Workspace, and provision storage. It then explains how to define Q# operations, simulate them locally using %simulate, connect to the Azure Quantum workspace with %azure.connect, specify an execution target with %azure.target, submit jobs with %azure.submit, check job status with %azure.status, retrieve outputs with %azure.output, and view all jobs with %azure.jobs. An example quantum random number generation program written in Q# is provided.
This is my journey taken from year 2012 on wards, after graduation in my MS with major in AI. I have taken various certification courses, trainings, hands-on labs; few key ones are from Google, and Microsoft.
Agricultural and allied industries play a vital role in the progress of a nation and sustainable economic growth. Farmers play a vital role in this progress. Their hard work and efforts need to be praised and possibly offer them various tools and digital assets that can automate some of their various repetitive tasks such as back office operations, crop monitoring, and post-harvesting routines that might divert the attention of farmers from their core job.
We, at Bhadale IT have developed various products and services that are revolutionary and can offer effective solutions with our industrial partnerships with digital technology leaders like Intel and Microsoft. We have drafted this solution brief to illustrate our products and service offerings for the agricultural industry. We can tailor make highly customized solutions to meet individual project and farmer needs that can include use of various technologies like artificial intelligence, machine learning, data science and related machinery like drones and geo-spatial datasets and various information that can offer precise farming techniques and use of technology in improving production, improvised use of fertilizers, organic farming and reduced crop loss due to rodents, insects and regional diseases.
The focus of this solution is for farmers to adopt and migrate to digital cloud platform to Microsoft Azure that can boost quality and quantity of crop production and improve their supply chain and offer faster and mature downstream business operations.
This is our cloud offerings based on our partnership and relationship with Intel and Microsoft. We offer highly optimized Intel motherboards, memory, and software stack that is best suited for Azure cloud platform and can handle various types of models (IaaS, PaaS, SaaS) and Azure workloads in the public or private cloud.
Explore the fundamentals of GitHub Copilot and its potential to enhance productivity and foster innovation for both individual developers and businesses. Discover how to implement it within your organization and unleash its power for your own projects.
In this learning path, you'll:
Gain a comprehensive understanding of the distinctions between GitHub Copilot for Individuals, GitHub Copilot for Business, and GitHub Copilot X.
Explore various use cases for GitHub Copilot for Business, including real-life examples showcasing how customers have leveraged it to boost their productivity.
Receive step-by-step instructions on enabling GitHub Copilot for Individuals and GitHub Copilot for Business, ensuring a seamless integration into your workflows.
Practical ChatGPT From Use Cases to Prompt Engineering & Ethical ImplicationsVijayananda Mohire
This journey provides learners with a thorough exploration of ChatGPT, starting with an introduction to large language models and their capabilities, the series progresses through practical applications, advanced techniques, industry impacts, and important ethical considerations. Each course aims to equip learners with an in-depth understanding of the model, its functionality, and its wide-ranging applications.
Red Hat Enterprise Linux (RHEL) and Hybrid Cloud Infrastructure. Products that are developed for multi-cloud hybrid platform enabling seamless integration and portability of workloads across Red Hat and partner Infrastructure, public and private clouds.
Learners will be exposed to the foundations of Red Hat, Red Hat Enterprise Linux (RHEL) portfolio including Hybrid Cloud Infrastructure, how to identify target customers, distinguish Red Hat solutions from the competition, review key use cases, align to the sales conversation framework for positioning the solutions, and much more!
Upon completing this learning path, learners will receive the Red Hat Sales Specialist - Red Hat Enterprise Linux accreditation and be prepared to advance to the Red Hat Sales Specialist - Red Hat Enterprise Linux II learning path
This is my annual learning at Red Hat related to accreditation and courses at Red Hat partner training portal.
Learners will be exposed to the foundations of Red Hat, Red Hat Enterprise Linux (RHEL) portfolio including Hybrid Cloud Infrastructure, how to identify target customers, distinguish Red Hat solutions from the competition, review key use cases, align to the sales conversation framework for positioning the solutions, and much more!
Generative AI is a cutting-edge technology that will transform nearly every business function, ranging from content creation and product design, to improving customer experience and marketing new ideas. While the benefits of Generative AI are immense, the technology has its limitations and poses some ethical considerations. In this Journey, learners of all levels will develop a shared understanding of what Generative AI is, the guardrails for use and identify of how to use, build and experiment with the technology in a responsible manner. Learners will also develop skills for leading through this disruption with empathy, while cultivating the human skills to sustain the transformation
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
3. Information Security and Risk
Management (IS&RM)
• Microsoft’s Information Security (InfoSec) organization
• Responsible for information security risk management
• Information protection, enterprise business continuity
planning
• Accelerate secure and reliable business for Microsoft,
partners and customers
• Publisher of The Security Risk Management Guide
3
4. ACE team
• The ACE (Assessment, Consulting & Engineering) team
is the assessment arm of Microsoft’s Information
Security & Risk Mgmt. (IS&RM) organization
• Provides security assessment services to both Microsoft
and Microsoft’s enterprise + public sector customers
• Shares and showcases with external customers how
Microsoft manages risks
• Learns and brings back best practices from Microsoft’s
customers
4
5. My planned contributions to ACE
Assessments
• Risk assessments – Threat modeling, business impact
analysis, threat to vulnerability pairing, qualitative/
quantitative analysis, STREAD, DREAD
• Compliance checks- ISO, HIPAA, PCI
• Due diligence – Security gap analysis, Future state model
design, constraints assessments
• Strategy - Assess the capability, maturity and roadmaps
for investments in Info Sec, business continuity , migration
to cloud
5
6. My planned contributions to ACE
Consultation
• Assist clients in achieving their goals in areas of
cloud and mobile security
• Provide advice on use of Microsoft’s security tools,
SDL based development methodology
• Assist clients’ in leveraging security frameworks
• Educate in effective use of security best practices
• Help companies in developing & establishing security
practice, programs, RFP/ RFI 6
7. My planned contributions to ACE
Engineering
• Manage installation, instrumentation of data center
components where security is in scope
•
• Manage security features in electrical cabling, power
units, physical security devices, storage areas
• Triage and delegate security issues, related to
engineering systems, motherboards
7
8. My planned contributions to ACE
Program Management
• Plan, design, develop strategies for innovative
security features for ―mobile-first, cloud-first‖
environment
• Delegate, monitor project activities based on program
needs and client feedbacks
• Manage red / blue teams related to penetration
testing / ethical hackers
• Work on internal training programs and mentor
juniors in achieving capabilities in Info Sec 8
10. Risk
What is risk ?
• Risk is a function of the
likelihood of a given threat-
source’s exercising a
particular potential
vulnerability, and the
resulting impact of that
adverse event on the
organization/asset
10
11. Threat-sources
• Accidental / intentional disclosure
• Alteration of licensed IT components
• System Configuration errors
• Network errors
• Equipment malfunction
• Natural disaster
• War
11
12. Vulnerability
• A flaw or weakness in
system security
procedures, design,
implementation, or
internal controls
• This could be
exercised (accidentally
triggered or intentionally
exploited) and result in
a security breach or a
violation of the system’s
security policy
12
13. Risk assessment
• Risk is assessed by identifying threats and
vulnerabilities, then determining the likelihood and
impact for each risk
• Broadly two types
1. Quantitative risk assessment
2. Qualitative risk assessment
13
14. Quantitative risk assessment
• By assigning values to information, systems, business
processes, recovery costs, etc., impact, and therefore
risk, can be measured in terms of direct and indirect
costs
• Mathematically, quantitative risk can be expressed as
Annualized Loss Expectancy (ALE)
14
15. Quantitative risk assessment
ALE = SLE * ARO
Where:
• ALE is the expected monetary loss that can be
expected for an asset due to a risk being realized over a
one-year period
• SLE (Single Loss Expectancy) is the value of a single
loss of the asset. This is the impact of the loss
•
• ARO (Annualized Rate of Occurrence) is how often the
loss occurs. This is the likelihood
15
16. Qualitative risk assessments
• Qualitative risk assessments typically give risk
results of ―High‖, Moderate‖ and ―Low‖.
• By providing the impact and likelihood definition
tables and the description of the impact, it is possible
to adequately communicate the assessment to the
organization’s management
16
17. Impact and likelihood table
Tabulating the variables to determine the criticality
of the risk that need to be prioritized and addressed
17
18. Relating threats to vulnerabilities
• Establishing the relationship is
a mandatory activity, since
risk is defined as the exercise
of a threat against vulnerability
• This is often called threat-
vulnerability (T-V) pairing
• For instance, a threat of ―flood‖
obviously applies to a
vulnerability of ―lack of
contingency planning‖
18
19. How is risk managed?
• There are four basic strategies for
managing risk: mitigation,
transference, acceptance and
avoidance
• For each risk management
strategy, the cost associated with
the strategy and the basic steps
for achieving the strategy (known
as the Plan Of Action &
Milestones or POAM) must also
be determined
19
20. Mitigation
• Mitigation is the most commonly
considered risk management
strategy
• Mitigation involves fixing the
flaw or providing some type of
compensatory control to reduce
the likelihood or impact
associated with the flaw
• A common mitigation for a
technical security flaw is to
install a patch provided by the
vendor 20
21. Transference
• Transference is the process of allowing another party to
accept the risk on your behalf
• This is not widely done for IT systems, however cloud
models provide an opportunity
• Using SaaS, PaaS cloud models, some amount of risk
is being transferred to CSP – cloud service provider
21
22. Acceptance
• Acceptance is the practice of
simply allowing the system to
operate with a known risk
• Many low risks are simply
accepted
• Risks that have an extremely
high cost to mitigate are also
often accepted
22
23. Avoidance
• Avoidance is the practice of
removing the vulnerable
aspect of the system or even
the system itself
• Example is removing a legacy
admin system that is causing
hi-impact errors in operations
23
25. Communicating risks
• A Plan Of Action & Milestones (POAM) should be
part of the risk assessment report presented to
management
• The POAM is a tool to communicate to management
on the proposed and actual completion of the
implementation of the risk management strategies
25
28. Framing risk
• Risk framing establishes the context and provides a
common perspective on how organizations manage risk
•
• Risk framing, as its principal output, produces a risk
management strategy that addresses how
organizations intend to assess risk, respond to risk, and
monitor risk
• Mainly senior leaders, program manager at Tier 1 & 2
are responsible
28
29. Risk assessment
• Risk assessment identifies, prioritizes, and
estimates risk to organizational operations (i.e.,
mission, functions, image, and reputation),
organizational assets, individuals, other
organizations, and the Nation
• All tiers provide their reports to the security officer
for further action plan
29
30. Risk response
• Risk response identifies, evaluates, decides on, and
implements appropriate courses of action to accept,
avoid, mitigate, share, or transfer risk to organizational
operations and assets, individuals, other
organizations, and the Nation
• Typically occurs at Tier 1 or Tier 2, with feedbacks
from Tier 3
30
31. Risk monitoring
Risk monitoring provides organizations with the means
to:
(i) verify compliance
(ii) determine the ongoing effectiveness of risk
response measures; and
(iii) identify risk-impacting changes to organizational
information systems and environments of operation
31
32. Information technology continuity plan
Conduct a business impact analysis to identify:
1. Critical IT resources
2. Outage impacts and allowable outage times
3. Protocols to provide uninterrupted power by using
UPS devices, power
4. Store backup data in a secure and protected offsite
location
5. Develop recovery strategies that allow critical IT
resources to be recovered within 24 hours.
6. Document the recovery strategy
32
34. General risk assessment tools
• National Institute of Standards & Technology (NIST)
Methodology – US Federal based
• OCTAVE
®
- The Software Engineering Institute (SEI) at
Carnegie Mellon University developed the Operationally
Critical, Threat, Asset and Vulnerability Evaluation
(OCTAVE) process
• FRAP - The Facilitated Risk Assessment Process (FRAP)
is the creation of Thomas Peltier. FRAP uses formal
qualitative risk analysis methodologies using Vulnerability
Analysis, Hazard Impact Analysis, Threat Analysis and
Questionnaires
34
35. General risk assessment tools
• COBRA - The Consultative, Objective and Bi-functional
Risk Analysis (COBRA) process was created by C & A
Systems Security Ltd.. Risk assessment is a business
issue rather than a technical issue, tools that can be
purchased and utilized to perform self-assessments of
risk
• Risk Watch- Uses an expert knowledge database to
walk the user through a risk assessment and provide
reports on compliance as well as advice on managing
the risks
35
41. Microsoft’s STRIDE threat categories
• Spoofing identity – pose as another user
• Tampering with data – malicious modification of data
• Repudiation – can the action (prohibited action) be traced?
• Information disclosure – disclose of information to
individuals who aren’t supposed to have it
• Denial of service – deny access to valid users (e.g.
consume all the CPU time)
• Elevation of privilege – unprivileged user gains privileged
access (becomes part of the trusted system)
41
42. Microsoft’s DREAD model to rank threat’s
severity
• Damage potential: The extent of the damage if
vulnerability is exploited
• Reproducibility: How often an attempt at exploiting
vulnerability works
• Exploitability: How much effort is required? Is
authentication required?
• Affected users: How widespread could the exploit
become?
• Discoverability: The likelihood that the researcher or
hacker will find it
42
43. Security development lifecycle (SDL)
• SDL is a software development process that helps
developers build secure code, address compliance
43
44. SDL tools
Requirements tools
• Microsoft Solutions Framework (MSF) for Capability
Maturity Model Integration (CMMI) / Microsoft
Solutions Framework (MSF) for Agile
Design tool
• Microsoft Threat Modeling Tool 2014 / 2016
44
46. SDL tools
Verification tools
• BinScope binary analyzer- binary files
• SDL Regex fuzzer – tests reg. exp for DoS
• SDL MiniFuzz file fuzzer-detects file-handling flaws
• Attack surface analyzer-detect changes in OS, ACL,
registry, Active-X control
• Application verifier-runtime verification tool for native
code 46
47. SDL tools
Release tools
SDL process template- integrates the policy,
process, and tools associated with Microsoft SDL
Process Guidance version 4.1 directly into your
VSTS
47
48. Azure network security
• VNet for isolation of VMs
• ACL and NSG – for access control at VM and subnet
level
• Azure Virtual Filtering Platform (VFP) exposes an easy-
to-program interface to network agents that act on behalf
of network controllers and packet processing on each
host running in the datacenter
• Service endpoint and azure fabric level security
mechanism
48
49. Security for mobile-first, cloud-first world
• Office 365 app permissions - ability to approve or revoke
permissions
• Azure AD Identity Protection - prevents the use of
compromised credentials
• Microsoft Cloud App Security - new advanced security
capability
• Customer Lockbox - integrates the customer into the
approval process
• Azure Security Center- Centralized security policy at the
subscription level+ Resource Group level ( tailored as per
workloads)
49
50. Security for mobile-first, cloud-first world
• Azure Active Directory Identity Protection - detects
suspicious act, user risk severity is calculated and risk-
based policies can be configured at user level
• WindowsAzure.MobileServices.Backend.Security-
security extensions for your .NET mobile backend (
controller code level permissions)hosted in Microsoft
Azure
• System Center 2012 and InTune- mobile device
management (MDM), BYOD policies, remote wipe out
of data in case of theft
50
55. The Payment Card Industry Data Security
Standard (PCI DSS)
• PCI DSS provides a baseline of technical and
operational requirements designed to protect
cardholder data
• PCI DSS applies to all entities involved in payment
card processing—including merchants, processors,
acquirers, issuers, and service providers
55
57. The Payment Card Industry Data Security
Standard (PCI DSS)
AUDIT TESTING
57
58. Disclaimer
• Logos, images, text have been referenced from various sources
like NIST, SANS, PCI journals, David Chappell, Microsoft
websites, and internet data that is freely available. Full rights
belong to the individual owners. References are made strictly for
educational and illustration purposes only and for non-commercial
use. Please take advice of original authors before using them. I
am not responsible for any damages, monetary loss arising from
the use of this document
58