Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

0 - Introduction To Cybersecurity Risk Management

Download as pdf or txt
Download as pdf or txt
You are on page 1of 9
At a glance
Powered by AI
The key takeaways are that cybersecurity and risk management are important for protecting organizational assets and ensuring business continuity. Risk management helps support governance by identifying risks and reducing them to acceptable levels.

The different types of security discussed are organizational security, which focuses on creating safe environments for business processes, and information security, which protects information and its critical elements like confidentiality, integrity and availability.

Risk management is the process of identifying risks, assessing their likelihood and impact, and taking steps to reduce risks to acceptable levels. Its objectives are to establish a common view of risk, integrate risk management into the enterprise, make risk-aware decisions, and ensure risk controls are implemented correctly.

IT 727-A & OL – Managing Cybersecurity Risk

IT 727-A & OL – Managing


Cybersecurity & Cybersecurity Risk

Risk Management

Dr. Ibrahim Waziri Jr.

1
IT 727-A & OL – Managing Cybersecurity Risk

Security
Security: State of being secure and free from danger or harm; the actions taken to
make someone or something secure.

Information Security: The protection of information and its


critical elements.
• Standard based on CIA triad - Inadequate!!!

Organizational Security Focus: Design and create safe


environments in which business processes and procedures can
function.

“create safe” = security = Risk Management

2
IT 727-A & OL – Managing Cybersecurity Risk

Risk Management & Governance


Risk: Probability of an event and its consequences - Often seen as an adverse event, that
negatively impacts assets by exploiting vulnerabilities.

Risk management: The process of identifying risk, assessing its relative magnitude, and taking
steps to reduce it to an acceptable level.

Governance: Accountability for the protection of organization assets. (Board of Directors, Senior
Management etc.) of adding VALUE to

Governance Principle: Alignment of functions to business strategy, goals, mission and objectives -
Applicable to all departments of the organization.
• Are we doing the right things?
• Are we doing them the right way?
• Are we getting them done well?
• Are we getting the benefits?
“benefits” = added value = Governance

Management vs Governance:
• Management focus on planning, building, running & monitoring activities.
• Governance create VALUE by achieving objectives.

Risk management supports Governance!!! 3


IT 727-A & OL – Managing Cybersecurity Risk

Risk Governance

Risk Governance – Ensures risk management and practices are embedded in the organization
governance.

Risk Governance Objectives:


• Establish and maintain a common view of risk
• Integrate risk management into the enterprise
• Make risk-aware business decisions
• Ensure that risk management controls are implemented and operating correctly

--
• A risk in one area is a threat to all other areas of the enterprise
• Governance & Risk Management requires accurate information
• Information is stored on technology.

IT Governance & Risk Management

4
IT 727-A & OL – Managing Cybersecurity Risk

IT Risk Management & Governance

IT Risk Management: Evaluation, Direction & Control of Information Technology

IT Governance:
• Value Creation - Ensure that IT creates value for the organization
• Resource optimization.
• Benefits and objectives realization
• Business Continuity etc.

Compliance:
• Senior Management - Accountable – Set rules & policies (You can’t delegate)
• Everyone - Responsible – You delegate responsibilities – Make happen

GRC = Governance Risk and Compliance!

5
IT 727-A & OL – Managing Cybersecurity Risk

Introduction – Roles
Board, Stakeholders
etc.

Senior Management
(Enterprise Policy)

Committee - (Audit,
Change Mgt etc.)

Mid Management
(Security Functions Policy)

Procedures
Guidelines
Standards

Baselines

Top Down Bottom Up


Approach Approach

6
IT 727-A & OL – Managing Cybersecurity Risk

Frameworks, Regulations, Standards, Guidelines etc.

CSA SOX
FEDRAMP
FFIEC GDPR
COBIT
ISACA
SCF PIPEDA
GLBA
FISMA ASD
COSO
NIST RMF
ISO 31000 OCTAVE CIS
(NIST 800 Series)

ISO 27000 DISA STIGS


HIPAA
PCI-DSS
IT 727-A & OL – Managing Cybersecurity Risk

What is the purpose of Cybersecurity & Risk Management?

VALUE
8
IT 727-A & OL – Managing Cybersecurity Risk

Risk Management Life Cycle

IT Risk
Identification

IT Risk & Control


IT Risk
Monitoring and
Assessment
Reporting

IT Risk Response
and Mitigation

You might also like