0 - Introduction To Cybersecurity Risk Management
0 - Introduction To Cybersecurity Risk Management
0 - Introduction To Cybersecurity Risk Management
Risk Management
1
IT 727-A & OL – Managing Cybersecurity Risk
Security
Security: State of being secure and free from danger or harm; the actions taken to
make someone or something secure.
2
IT 727-A & OL – Managing Cybersecurity Risk
Risk management: The process of identifying risk, assessing its relative magnitude, and taking
steps to reduce it to an acceptable level.
Governance: Accountability for the protection of organization assets. (Board of Directors, Senior
Management etc.) of adding VALUE to
Governance Principle: Alignment of functions to business strategy, goals, mission and objectives -
Applicable to all departments of the organization.
• Are we doing the right things?
• Are we doing them the right way?
• Are we getting them done well?
• Are we getting the benefits?
“benefits” = added value = Governance
Management vs Governance:
• Management focus on planning, building, running & monitoring activities.
• Governance create VALUE by achieving objectives.
Risk Governance
Risk Governance – Ensures risk management and practices are embedded in the organization
governance.
--
• A risk in one area is a threat to all other areas of the enterprise
• Governance & Risk Management requires accurate information
• Information is stored on technology.
4
IT 727-A & OL – Managing Cybersecurity Risk
IT Governance:
• Value Creation - Ensure that IT creates value for the organization
• Resource optimization.
• Benefits and objectives realization
• Business Continuity etc.
Compliance:
• Senior Management - Accountable – Set rules & policies (You can’t delegate)
• Everyone - Responsible – You delegate responsibilities – Make happen
5
IT 727-A & OL – Managing Cybersecurity Risk
Introduction – Roles
Board, Stakeholders
etc.
Senior Management
(Enterprise Policy)
Committee - (Audit,
Change Mgt etc.)
Mid Management
(Security Functions Policy)
Procedures
Guidelines
Standards
Baselines
6
IT 727-A & OL – Managing Cybersecurity Risk
CSA SOX
FEDRAMP
FFIEC GDPR
COBIT
ISACA
SCF PIPEDA
GLBA
FISMA ASD
COSO
NIST RMF
ISO 31000 OCTAVE CIS
(NIST 800 Series)
VALUE
8
IT 727-A & OL – Managing Cybersecurity Risk
IT Risk
Identification
IT Risk Response
and Mitigation