A company from Taiwan

http://www.amicliens.com

Mission

To Help People

Enjoy Learning

CISSP Made EasyRisk Management

2018/09/10

Wu, Wentz

http://WentzWu.com

Wentz WuAn inspirational coach

and

lifelong learner

bruce@amicliens.com

http://WentzWu.com

Wentz Wu◼Professional Experience

⚫Co-founder, Amicliens Service Technology

⚫Also known as Bruce Wu

⚫Designated as Project Manager

⚫20+ Years of IT Experience

◼Education

⚫Executive MBA from Troy State University

⚫Bachelor of Information Management from Tamkang University, Taiwan

Certifications◼ Project Management

⚫ PMI-PMP, Project Management Professional

⚫ PMI-ACP, Agile Certified Practitioner

⚫ PMI-PBA, Professional in Business Analysis

⚫ PMI-RMP, Risk Management Professional

◼ Security Governance

⚫ CISM, Certified Information Security Manager

⚫ CRISC, Certified in Risk and Information Systems Control

⚫ CISA, Certified Information Systems Auditor

◼ Security Assurance

⚫ CISSP, Certified Information Systems Security Professional

⚫ Provisionally passed ISC2 CCSP exam on 2018/09/07

⚫ Provisionally passed ISC2 CSSLP exam on 2018/09/13

◼ Information Technologies

⚫ AWS-CSAA, AWS Certified Solution Architect – Associate

⚫ MCSD, Microsoft Certified Solutions Developer on App Builder

⚫ MCSD, Microsoft Certified Solutions Developer on VB6 (LEGACY)

⚫ MCDBA, Microsoft Certified Database Administrator on SQL 2000 (LEGACY)

⚫ MCSE, Microsoft Certified Systems Engineer on Win 2000 (LEGACY)

⚫ MCSE, Microsoft Certified Systems Engineer on NT4 (LEGACY)

⚫ MCP, Microsoft Certified Professional Since 1998

My Professional Service Offerings

• Business Solutions and Applications

• Microsoft .NET-based

• Mobile Apps (off-site or off-shore partners)Software

• Software Engineering & Programming

• Information Security (exam-centric)

• English (partnership with native speakers)Training

• IT Professional Career Paths

• Project Agility

• Effective LearningCoaching

My Expertise Stack

IT Infrastructure & Technologies(Network + Telephony + Cloud)

Unified Communication Contact Center

Software Engineering

Domain Knowledge & Professional Experience

Pro

ject M

anage

me

nt

Business Administration

Quality SoftwareFunctionality + U PASS ME!

Software

Craftsmanship

Critical Success

Factors

Quality

Usability

Performance

Availability

ScalabilitySecurity

Maintenance

Extensibility

Quality SoftwareFunctionality + U PASS ME!

Information Assurance

Security Governance

Security Technologies

Information Security Certifications

SecurityGovernance

InformationAssurance

SecurityTechnologies

ISACA

ISC2

EC-Council

• What is risk?

• Risk Metalanguage

• Inherent Risk and Residual Risk

• Risk Treatment/Response

• Risk Management Framework

• Governance, Risk, and Compliance

Agenda

What is Risk?

• ISO❑ The combination of the probability of an event and its

consequence. (ISO/IEC71)

❑ According to ISO 31000, risk is the “effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected.

• Dr. Hillson❑ Uncertainty that matters.

❑ Uncertainty that could affect objectives.

❑ Uncertainties which if they occur will have a positive or negative effect on one or more objectives.

http://www.who.int/management/general/risk/WhenRiskNotRisk.pdf

Risk Elements

Cause Risk Effect

Risk Metalanguage

Cause Risk Effect

• As a result of using novel hardware, unexpected system-integration errors may occur which wouldlead to overspending on the project.

• Because our organization has never done a project like this, we might misunderstand the customer's requirement, and our solution wouldnot meet the performance criteria.

https://www.pmi.org/learning/library/project-risks-causes-risks-effects-4663

Residual Risk

Residual Risk

TreatmentInherent

Risk

Risk Treatment/Response

Risk Management Framework

BoardOf

Directors

Executives(Senior Management)

Management

Employees

• NIST SP 800-39• COBIT for Risk

• COSO• ISO 31000

ISO 27005

The Sarbanes-Oxley Act, SOX

◼ Arthur Andersen⚫ Enron scandal, 2001

⚫ WorldCom scandal, 2002

◼ Big Four accounting firms

https://en.wikipedia.org/wiki/Big_Four_accounting_firms

COSO

https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-

Summary.pdf

ISO 31000

http://rmacademy.modulo.com/glossary/iso-31000/

COBIT for Risk

https://blogs.itb.ac.id/el5216/2013/12/06/4/

ISO 27005

https://www.researchgate.net/figure/The-ISO-27005-Risk-Management-workflow_fig1_308887387

NIST SP 800-39

PMI Project Risk Management

https://prozcomblog.com/2016/09/02/an-approach-to-risk-management-in-the-language-industry-part-2-of-5/

Corporate Governance

http://www.20microns.com/corporate-governance/

Corporate Governance

Board of Directors and Committees

Strategic Management

Enterprise Architecture

Monitoring and Internal

Control

Laws and Regulations

Risk - Compliance

Strategic Management

https://www.smartinsights.com/goal-setting-evaluation/goals-kpis/difference-marketing-objectives-marketing-goals/

Vision

Goals

Objectives

KPIs and CSFs

Metrics and Measures

Future & Direction

Mission: Purpose and Values

SMART Goals

Strategic Planning

Balanced Score Card

Management by Objectives

Governance Risk

Compliance

GRC

• Vision/Goals/Strategy

• Enterprise Architecture

• Threats and Opportunities

• Risk Appetite

• Laws and Regulations

• Due Care/Due Diligence

• Ethics

Enterprise Risk Types

https://www.mindmeister.com/generic_files/get_file/7065118?filetype=image_file&img=18627574&cb=6ceca5

Compliance

Explicit

Laws

Regulations

Industry Standards

Implicit

Due Care/Due Diligence

Ethics

Wentz WuAn inspirational coach

and

lifelong learner

bruce@amicliens.com

http://WentzWu.com