A tool for efficiency and compliance, presented in 3rd CryCyIW Conference, Greece 2016.

2. o The Problem / Complexity
o ISO 31000 / 27001 / 20000
o NIST SP 800-30 rev.1
o Risk Management
o Risk Modelling
o The System / Login / Menu
o Risk Assessment
o Subsystems / Connection
o Automation & Modelling
o User Management
o Internal Communication
o Documentation & Support
o Mitigation Strategy
o Filters & Colours
o Report Engine
o Document Management
o Risk Doc Templates
o Risk Monitoring
o Workflows
o Audit Management
o Reviews & Knowledge Mngt
o Risk Scenario
o Summary & Conclusion

3. Risk
Migrate, so it’s difficult to identify them
Grow fast suddenly
‘Hide’ due to limited physical oversight
As systems have become more complex, integrated and connected to third parties, risks are growing exponentially and
the security and control budget quickly reaches its limitations.

4. Risk Management – Principles and
Guidelines
Any type of risk, any type of industry
Guide for conducting Risk Assessments
USA Federal Information Systems &
Organizations
Security techniques – ISMS –
Requirements
IT Service Management - Requirements
ITIL - COBIT

5. Establishing Context
Risk Assessment
Risk identification
Risk analysis
Risk evaluation
Communication&Consultation
Monitoring&Review
Risk Treatment

6. Likelihood X Impact
5 categories used by Microsoft in the past. It
provides a mnemonic for risk rating security
threats.
Base, Temporal and Environmental
Metrics.
Open Web Application Security Project
4 risk categories x 4 factors/impacts

23. A user identifies an event as a
possible threat and opens a
ticket to the system.
He marks the record (priority field) as
“Urgent” and an automated
workflow sends a notification
email to the team.
In 5 minutes an engineer has
received the notification. He
examines the situation and
creates a risk record to the
system.
Multiple incidents are recorded
during the day from different
users and for different things.
Every manager sets the priorities for
the next period, assigning
activities to the members of
his/her team.
As he/she implements risk
assessments, or approve
mitigations, he always
watches to key metrics and
dashboard diagrams.
Periodically and just before the
external audits, he reviews all
risks that have to be reviewed,
he runs the report engine and
conducts the risk assessment
and treatment report.
2 times per year, top management
reviews all the statistics and
kpi’s.
Especially, they want to know the
most important things that
happened and if the Targets
are met.

24. • Evolving systems require good risk management
• All members should collaborate during this process
• Ideally, IT tools should be used for efficiency and
compliance

25. We are trying our best!
1 str. Artis, Athens, GR
www.osys.gr
info@osys.gr
30 210 97 62 600
www.facebook.com/osys.gr
@omicronsystems

26. Yiannis Issaris - Omicron Systems
3rd CryCybIW