neupart webinar 1: four shortcuts to better risk assessments
Post on 18-Nov-2014
95 Views
Preview:
DESCRIPTION
TRANSCRIPT
Webinar: 4 shortcuts to professional IT risk assessments
Presented by Lars Neupart Founder, CEO of Neupart Informa9on Security Management LN@neupart.com twiBer @neupart
About Neupart • ISO 27001 certified company.
• Provides SecureAware®, an all-‐in-‐one, efficient ISMS solution allowing organizations to automate IT governance, risk and compliance management.
• “The ERP of Security”
• HQ in Denmark, subsidiary in Germany and a 200+ customer portfolio covering a wide range of private enterprises and governmental agencies.
IT GRC = IT Governance,
Risk & Compliance Management
Program Introduc9on
Business Impact Assessments
Threat Catalogues
Vulnerability Assessments
Carrying out a risk assessment project
Summary of shortcuts to beBer risk assessments
Selected ISO 2700x standards
ISO 27000 • Overview and vocabulary
ISO27001 • Informa9on Security Management Systems – Requirements
ISO27002 • Code of prac9ce for informa9on security management
ISO 27003 • ISMS Implementa9on Guidelines
ISO 27004 • Informa9on Security Management -‐ Measurement
ISO27005 • Informa9on Security Risk Management
ISO27006 • Requirements for bodies providing audit and cer9fica9on
+ + + +
ISO 31000 Enterprise Risk Management
Plan
Do
Check
Act
Comparing ISO 27005, NIST SP800-‐30 ISO 27005 NIST SP800-‐30
Context establishment
Identification of assets System Characterization Identification of threats Threat Identification
Identification of existing controls Vulnerability Identification Identification of vulnerabilities Control Analysis Identification of consequences
Assessment of consequences Likelihood Determination
Assessment of incident likelihood Impact Analysis Risk estimation Risk Determination
Risk evaluation
Risk treatment Control Recommendations Risk acceptance
Risk communication Results Documentation
ISO 27005 is: • A threat based risk
management guidance • Considered best practice • Well aligned with other
risk frameworks • A method to comply
with ISO 27001 risk management requirements
ISO 27005
Business Impact Assessment ISO 27005: Estimate the business impact from breaches on CIA (confidentiality, integrity, availability) • Financial terms
– Revenue, cash flow, costs, liabilities • Non-‐financial terms:
– Image, non-‐compliance, competitiveness, service level
Example: Business Impact Assessment
Example from SecureAware
Threats
Example: Threat Catalogue
Example from SecureAware
Not all assets burn (hint: link your threats to asset types)
Example from SecureAware
Reduce Likelihood Proactive
Security IT Security Policy Compliance & Awareness Change Management Operating Procedures Access Control Monitoring System Redundancy Firewall Antivirus
Reactive Security
Reduce Consequence
IT Service Continuity Teams IT Service Continuity Strategy
IT Service Continuity Plans Disaster Recovery Procedures
Emergency Operations Flexibility
Standby Equipment Virtualization
Backup
IT Risk Management -‐ Explained
Risk
Prioritization
Incident Likelihood
Incident Consequence
Threat Frequency
Threat Effect
Threats
Preventive Measures
Corrective Measures
Vulnerability & control environment assessment
Administra9ve Measures
Physical / Technical Measures
Preven9ve Measures
Correc9ve Measures
Firewalls An9virus
Server Clusters
RAID Backup/Restore Standby
Equipment Virtualiza9on
Security Policy
System Documenta9on
Awareness
Compliance Checks
Alarm System
Fire Suppression
Logging Change
Management
IT Service Con9nuity Plan
Disaster Recovery Procedures
Business Con9nuity Strategy
Redundancy
Access Control System
Standby Site
Server snapshots
Recommenda9on: Base assessments on a maturity level scale
Monitoring
Assess how well your controls addresses relevant threats
Example: Vulnerability Assessments
Example from SecureAware
Assets: Dependency Hierarchy Business Impact values are inherited downwards
Vulnerability values are inherited upwards
Server 01 Virtual Server
SAN 01 Data Staorage
HP DL380 Hardware unit
Data Center Oslo Datacenter
Finance DB Database
ERP IT Service
Dynamics AOS Business system
HP DL380 Hardware unit
Server 02 Virtual Server
Finance
Business Process
Business Processes & IT Services
Business Process 1
IT Services (on premise)
Business Process 2
IT Services from vendor, e.g.
cloud
Business Impact Scores Inherits Downwards
Vulnerability Scores Inherits Upwards
High level assesments • You can postpone the more
detailed assessments and analysis.
• Begin at the top: – High level BIA can combine
different impact types e.g. revenue, cost, cashflow, image in a single question.
– High level vulnerability assessments can combine different threats in a single question
An assessment project step-‐by-‐step
What business processes, IT
Services, etc. to include (assets)?
Who to involve in the assessments?
Perform interviews / collect data
Repor9ng and communica9on
Risk Management • Risk Owner • (Assets) • Threats • Business Impact
Assessment • Vulnerability Assessment • Reporting & evaluating • Treating (Accept, Reduce, Share,
Avoid)
Keep it simple:
Risk Management =
Risk Assessments +
Risk Treatment
Neuparts 4 responsible short-‐cuts. PS! They also apply to the 2013 edition of ISO 27001 J
Do not use complete threat catalogue on each of your assets (relevant threats
depends on asset type)
1: Not all threats
• Inheritance: Business impact values inherits downwards
• Vulnerability scores inherits upwards
• Asset dependencies / Hierarchy
2: Inheritance
Assess your most important assets first (you can add more
later)
3: Not all assets
• Make overall assessment first – refine later
• Example: Assess threats combined first – individually later
4: High level first
Ressources • White papers and presentations at Neupart blog
– treatingrisk.blogspot.com
• Educational Webinars and SecureAware Live Demos at our website: – neupart.com/events
• SecureAware ISMS tool
– www.neupart.com/products – ISO 27001 Policy & Compliance Management , IT Risk Management – Out of the box solution; Free trial
More webinars: Treating Risks -‐ today 4pm CET:
SecureAware Live Demo – tomorrow 2pm neupart.com/events
INFORMATION SECURITY MANAGEMENT
Asset Management
Your best and worst assets
Example from SecureAware
Risk Management Projects
Example from SecureAware
Key features summary – Risk TNG • Business impact assessment • Vulnerability assessment • Role based interviews • Flexible asset inventory for any type of asset, i.e.
business processes, IT services, and their relationships • Customizable threat catalogue • Risk dash boards & flexible reporting options • Risk treatment processes • API
top related