IT Risk Management. Digicomp Hacking Day, Umberto Annino

Größe: px

Ab Seite anzeigen:

Download "IT Risk Management. Digicomp Hacking Day, 11.06.2014 Umberto Annino"

Adolph Hofmeister
vor 8 Jahren
Abrufe

1 IT Risk Management Digicomp Hacking Day, Umberto Annino

2 Wer spricht? Umberto Annino WirtschaCsinformaEker, InformaEon Security Was ist ein Risiko?! Sicherheit ist das Komplementärereignis zum Risiko! Risiko ist Schaden mit Potenzial 2

3 Gefahr Bedrohung Risiko Schwach- stelle Asset Risiko 3

4 Realitätsabgleich Compliance? Risk Management? OperaEonal Risk, Business ConEnuity? IT, InformaEon Security Cyber Security? Red Team, Threat Modeling, APT and openssl? Big Data??? Security vs. Compliance 4

5 IT Risiko in der Risiko- Hierarchie 5

6 COSO Enterprise Risk Management Framework 6

7 ISO Risk Mgmt (2009) Guidelines and Principles and Framework 7

8 ISO Framework 8

9 ISO Processes 9

10 ! Mandate and commitment Design of framework for managing risk ImplemenEng risk management ISO Processes Understanding of the organisaeon and its context Establishing risk management policy Accountability IntegraEon into organisaeonal processes Resources Establishing internal communicaeon and reporeng mechanisms Establishing external communicaeon and reporeng mechanisms ImplemenEng the framework for managing risk ImplemenEng the risk management process Monitoring and review of the framework ConEnual improvement of the framework 10

Establishing internal communicaeon and reporeng mechanisms Establishing external communicaeon and reporeng mechanisms ImplemenEng the

11 ISO Processes Risk Management Process CommunicaEon and consultaeon Establishing the external context Establishing the internal context Establishing the context of the risk management process Defining risk criteria Risk assessment Monitoring and review Risk ideneficaeon Risk analysis Risk evaluaeon Risk treatment Recording the risk management process 11

risk management process Defining risk criteria Risk assessment Monitoring and review Risk

12 ISO Acributes of enhanced risk management Key outcomes The organisaeon has a current, correct and comprehensive understanding of its risks The organisaeon s risks are within its risk criteria Acributes ConEnual improvement Full accountability for risks ApplicaEon of risk management in all decision making ConEnual communicaeons Full integraeon in the organisaeon s governance structure 12

criteria Acributes ConEnual improvement Full accountability for risks ApplicaEon of risk

13 ISO InformaEon Security Risk Management 13

14 ISO Context Establishment Basic Criteria Risk management approach Risk evaluaeon criteria Impact criteria Risk acceptance criteria! Scope and Boundaries! OrganisaEon for informaeon security risk management 14

15 ISO InformaEon security risk assessment Risk ideneficaeon Risk analysis IdenEficaEon of assets IdenEficaEon of threats IdenEficaEon of exiseng controls IdenEficaEon of vulnerabiliees IdenEficaEon of consequences Risk analysis methodologies Assessment of consequences Assessment of incident likelihood Level of risk determinaeon 15

IdenEficaEon of vulnerabiliees IdenEficaEon of consequences Risk analysis

16 ITGI RiskIT Framework PosiEonierung 16

17 IT Risk (high level) categories 17

18 RiskIT Framework 18

19 Risk maps... Risk appeete Risk tolerance Risk culture 19

20 Risk culture 20

21 IT risk scenario development 21

22 Risk scenario components 22

23 Aber: scenario based...! keeping it real! 23

24 IT Risk Response opeons and prioriesaeon 24

25 Verwalten von IT Risiken Konsolidierung Risiko management Risiko analyse Risiko lenkung Risiko idenefikaeon Risiko bewertung Risiko bearbeitung Risiko tracking Link to business QuanEtaEv QualiEaEv StaEsEsche Basis Admin Disziplin/ Aufwand Kosten ROI Nachvollzieh- barkeit Konstanz (Zahlen) 25

26 QuanEfizieren von IT Risiken Big Data? Loss DB? Komplexität von InformaEonssystemen (und SoCware)? 26

27 QuanEfizieren von IT Risiken In der Praxis eher qualitaev stac quanetaev Fehlende staesesche Basis Prinzipiell komplexe Systeme Wenig akuter Bedarf zur QuanEfizierung! über Verknüpfung mit Business Process Konsolidierung der Werte für Management ReporEng als Grundlage für QuanEfikaEon In der Praxis eher erste Schrice stac best pracese ISO 27005, ITGI RiskIT Framework und PracEcEoner Guide bieten brauchbare Grundlagen (Framework) 27

28 Risk Treatment Risk treatment Controls Measures Avoid Eliminate Avoid / Verhindern Reduce Minimize Detect / Entdecken Transfer Externalize Minimize / Eindämmen Accept Residual Risk 28

29 Risk Treatment ISO

30 Konsolidieren von IT Risiken Disjointed risks 30

31 Konsolidieren von IT Risiken shared risks 31

32 32

Ähnliche Dokumente

IT Governance im Zusammenspiel mit IT Audit

IT Governance im Zusammenspiel mit IT Audit ISACA After Hours Seminar Nicola Varuolo, Internal Audit AXA AXA Gruppe 52 Millionen Kunden weltweit 79 Milliarden Euro Geschäftsvolumen 150 000 Mitarbeitende