the importance of risk management
TRANSCRIPT
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Alan Calder
CEO, Vigilant Software
Thursday May 16th PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING.
Q&A IS HANDLED THROUGH A COMBINATION OF WEBEX CHAT/TEXT AND VOICE
The Importance of Risk Management
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Alan Calder
• CEO and founder of Vigilant Software
• Acknowledged information security/risk management
thought leader
• Managed the world’s first successful ISO27001 (then
BS7799) implementation project in 1996
• Frequent media commentator on risk management
issues
• Co-author of vsRisk™ – the definitive cybersecurity risk
assessment tool
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Today’s Webinar in Context
• Today’s webinar is #2 in an educational series.
• The 4 webinars are designed to take you on a learning
journey:
• Webinar 1 - Why ISO 27001 for my Organisation?
• Webinar 2 (Today) – The Importance of risk management.
• Webinar 3 – Carrying out a risk assessment using vsRisk.
• Webinar 4 – Maintaining/updating your risk assessment using
vsRisk.
Registration details of future webinars at the end.
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Today’s Agenda
• A short 20-30 minutes educational and informative talk:
• Quick recap of last week’s webinar – Why ISO 27001 for my
Organisation?
• The importance of risk management.
• Ample time for Q&A.
• Next steps.
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Recap – last week’s webinar
In last week’s webinar we covered:
• What is information security?
• What is an information security management system (ISMS)?
• What is ISO 27001?
• Why should I and my organisation care about ISO 27001?
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Information Security Terms and Phrases
Information security: preservation of confidentiality, integrity and availability of
information; in addition, other properties, such as authenticity, accountability, non-
repudiation, and reliability can also be involved
Confidentiality: the property that information is not made available or
disclosed to unauthorized individuals, entities, or processes
Integrity: the property of safeguarding the accuracy and completeness of assets
Availability: the property of being accessible and
usable upon demand by an authorized entity
Asset: anything that has value to the organization
6
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
What is a Risk?
A risk exists where there is an identifiable likelihood of an
identified threat exploiting an identified vulnerability in
relation to the confidentiality, availability or integrity of an
asset, and where that compromise will have a quantifiable
impact on the organisation.
Without likelihood and impact, there is no risk.
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
What is a risk assessment?
• A risk assessment is the core competence of
information security management.
• ISO 27001 explicitly asks for:
• a risk assessment to be carried out before any controls are
selected and implemented.
• every control to be justified by a risk assessment.
• Plan-Do-Check-Act model.
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Plan-Do-Check-Act
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
What is a risk assessment?
• The risk assessment must:
• Identify the threat/vulnerability combinations that have a
likelihood of impacting the confidentiality, availability or
integrity of each asset within a scope.
• This must be done from a business, compliance or contractual
perspective.
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Benefits of risk assessment?
• Spend on controls is balanced against business harm likely to
result from security failures.
• Existing over-expenditure can be re-allocated to areas of weakness
• Information security management decisions are entirely made by the outcomes from a risk assessment – so they are objective
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Assets Threats Vulnerabilities
Risks
Countermeasures/Safeguards
Identification and implementation
Analysis
Treatment
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Risk Management: Asset Documentation
Produce inventory of all assets:
All physical computing resources (computers, servers, PDAs, etc.)
Buildings
Telephones, mobile phones
Storage facilities
Information assets: databases, documentation, blueprints
People
Maintain Asset Register! Control Cat. A.7 is Asset Management: consider when preparing for risk assessment.
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Risk Management: Asset Management
• Responsibility for assets.
• Information classification.
• Sensitivity guidelines.
• Sensitivity labelling.
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Risk Assessment - Objective
To inform a proper balance of safeguards against risk of
failing to meet business objectives.
• For a given exposure, removal of safeguards will increase the
risk of loss.
• Too many safeguards could make the security system too
expensive/bureaucratic.
• Method by which expenditure on security and contingency can
be justified.
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Risk assessment
• Define approach.
• Comparable and reproducible.
• Develop criteria for acceptance of risk and identifying
acceptable level of risk.
• Risk Acceptance Criteria
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Treatment of Risk
After completing analysis of risk, you need to decide how to
manage it.
Treatment of risk.
• Accept? (Criteria already developed).
• Eliminate the risk by work around or other arrangements.
• Control the risk to bring it to an acceptable level.
• Transfer it to a third party (e.g. via insurance).
Then select controls.
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Safe and Secure - The Importance of Risk
Management
• An Information Security Management System (ISMS) will
help your organisation to become ISO 27001 certified.
• This certification will tell your potential customers,
employees and partners that your information systems
are safe and secure.
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Safe and secure – so what?
• It’s not your word – your information systems are safe and secure to
a recognisable, externally audited, international standard.
• Tells existing and potential customers, employees and partners, as
well as regulators that you have defined and put in place effective
information security processes, thus helping create a trusting
relationship.
• You are good to do business with!
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Summary
• Information Security risk analysis is a difficult task
involving experience and knowledge of the environment
being analysed.
• A number of risk analysis and management methods
have been proposed for both commercial and
government sectors: These methods are currently
available either in the form of guidelines to be applied
manually or as software packages.
• There are tools to help – vsRisk demoed in next week’s
webinar.
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Next Steps – Upcoming Educational Webinars
• Webinar 3 – Carrying out a Risk Assessment using
vsRisk - Thursday May 23rd, 4pm UK Time.
• Webinar 4 - Maintaining and Updating your Risk
Assessment using vsRisk - Thursday May 30th, 4pm UK
Time. Includes announcement of special offer for vsRisk
for webinar registrants.
• Register for both/either at
http://www.vigilantsoftware.co.uk/webinars.aspx
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Before the next webinars… Read a book…
Read the world's first practical e-book
guidance on achieving ISO 27001
certification and the nine
essential steps to an effective ISMS
implementation.
Available on offer at £25.95
(normally £29.95) at
http://www.vigilantsoftware.co.uk/pr
oduct/1651.aspx
Download a free trial of vsRisk
The information security risk
assessment tool compliant to ISO
27001 that automates and
accelerates the risk management
process.
15-day free trial at
http://www.vigilantsoftware.co.uk
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Next Steps – Want to know more?
If you would like to know more about ISO 27001, including
how to carry out an ISO 27001-compliant risk assessment,
please visit http://www.vigilantsoftware.co.uk or email
“The definitive risk assessment tool for ISO27001 certification”
Copyright © Vigilant Software Ltd 2013
Questions – we welcome them all!
Please type your questions into the Webex chat window –
responses will generally be verbal and shared with all
delegates.