This webinar covers:
• How should Risk Assessment be successful by using ISO 27001 ISMS framework
• Using ISMS legal, physical and technical controls involved in an organization’s information risk management processes
• How companies can protect Personal Health Information (PHI), Payment Card Information (PCI) and Personally Identifiable Information (PII)
Presenter:
This session will be hosted by PECB Trainer Dr. Michael C. Redmond, CEO of Redmond Wordwide with extensive experience in Incident Response Programs.
3. Cyber Attacks
More and more attacks are happening
every day, resulting in loss of reputation,
fines, legal liabilities and so much more.
It is not IF you will be the potential
victim of a Cyber Attack but When?
3
4. Risk Assessment using ISO 27001 ISMS
framework
Information Security
Management System
Legal, Physical and Security
/Cyber and Technical
Controls
Organization should design,
implement and maintain a
policies, processes and
systems to manage risks to its
information assets
Ensuring acceptable levels of
information security risk
4
5. Version 2005
The 2005 Version ISO/IEC
27001:2005 incorporated the
"Plan-Do-Check-Act" (PDCA),
or Deming cycle, approach:
• Plan - designing the ISMS, assessing information
security risks and selecting appropriate controls.
• Do - involves implementing and operating the
controls.
• Check - objective is to review and evaluate the
performance (efficiency and effectiveness) of the
ISMS.
• Act - changes are made where necessary to bring
the ISMS back to peak performance.
5
6. Version 2013
ISO/IEC 27001:2013,
does not emphasise the
Deming cycle anymore.
•The ISMS user is free to
use any management
process (improvement)
approach like PDCA
or Six Sigmas DMAIC
6
7. Security Risk Factors
Security Depends
On People More
Than On
Technology
Employees Are A
Far Greater Threat
To Information
Security Than
Outsiders
Security Is Like A
Chain. It Is Only As
Strong As Its
Weakest Link
The Degree Of
Security Depends
On Three Factors:
•The Risk Appetite
•The Functionality Of
The System
•The Costs You Are
Prepared To Pay
Security Is Not A
Status Or A
Snapshot But a
Continuous
Process
7
8. Risk Framework
Scope: Understand what it is that you need to protect
Risk Management: Assess risks and develop appropriate
Risk Treatment Plans to mitigate risks
Assess: Monitor and assess to validate efficacy and
continuously improve
Governance: Senior Management needs to govern the Risk
Management process, most notably establishing risk
tolerance/acceptance
8
9. They Work Together
Risk assessment is
one of the key
requirements of ISO
27001 compliance
ISO 27005 is
considered one of
the best risk
assessment
methodologies
available today and is
widely used by many
organizations in
achieving compliance
–with ISO 27001
Other
standards such
as PCI, HIPAA,
etc
9
10. Identify the assets, consider the threats that could
compromise those assets, and estimate the damage
that the realization of any threat could pose
10
11. What risk would Losing trade secrets pose
to your company's financial well being
11
12. Identify the various entities that pose threats to your
company's well being –
• hackers
• disgruntled employees
• careless employees
• competitors
12
13. Identify the assets that you are trying to
protect with special attention to those
that are most critical
13
15. What are the weakest links in
your systems and processes
15
16. • Source Code
• Engineering Drawings
• Patent Applications
• Customer Lists
• Contracts
• Admin Passwords
• Data Centers
• UPS Devices
• Firewalls
• Payroll Records
Make a
list of
possible
vulnerable
targets
16
17. Next Step
Assign numeric values
to those risks
Calculated risk values
provide a basis for
determining how
much time and money
to invest in protecting
17
18. Risk and Impact
Likelihood (probability)
is a measure of how
likely a loss is to happen
Impact (severity) is how
much damage will be
done to the organization
if the loss occurs
18
19. FMEA
Failure mode effects
analysis (FMEA) measure
of the effectiveness of
current controls
Formula is:
• likelihood that a threat is acted on
(independent of your precautions
against it) times the anticipated
damage (impact) times the
effectiveness of your efforts in
mitigating the risks (controls).
19
20. Thanks
Dr. Michael C. Redmond, PhD
ISO 27001, ISO 27035, ISO 22301
MBCP, FBCI, CEM,MBA
www.redmondworldwide.com
917-882-5453
LinkedIn
https://www.linkedin.com/in/michaelredmond2008
20