尊敬的 微信汇率:1円 ≈ 0.046078 元 支付宝汇率:1円 ≈ 0.046168元 [退出登录]
SlideShare a Scribd company logo

ISACA Reporting relevant IT risks to stakeholders

Marc Vael
Marc Vael

A presentation I made for the ISACA Belgium open forum of June 2015 in Brussels on Reporting relevant IT risks to stakeholders. This presentation served as starter for the discussions in the open forum.

Technology
1 of 57
Download to read offline
REPORTING RELEVANT IT RISKS TO STAKEHOLDERS Marc Vael, Brussels, 24 June 2015
WHO ARE THE STAKEHOLDERS? Stakeholders can affect or be affected by the organization's actions, objectives and policies. Examples of key stakeholders are creditors, directors, employees, government (and its agencies), owners (shareholders), suppliers, unions, and the community from which the business draws its resources.
WHO ARE THE STAKEHOLDERS?
WHO ARE THE STAKEHOLDERS?
WHO ARE THE STAKEHOLDERS?
WHO ARE THE STAKEHOLDERS?
WHO ARE THE STAKEHOLDERS? Big problem #1: 
 Stakeholders all speak different “languages
WHAT ARE RELEVANT IT RISKS? Information technology risk / IT risk / IT-related risk is the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. Assessing the probability of likelihood of various types of event/incident with their predicted impacts or consequences should they occur is a common way to assess and measure IT risks. 
 Alternative methods of measuring IT risk typically involve assessing other contributory factors such as the threats, vulnerabilities, exposures, and asset values. IT risk has a broader meaning: it encompasses not just only the negative impact of operations and service delivery which can bring destruction or reduction of the value of the organization, but also the benefitvalue enabling risk associated to missing opportunities to use technology to enable or enhance business or the IT project management for aspects like overspending or late delivery with adverse business impact.
WHO ARE THE STAKEHOLDERS? Big problem #2: 
 “Risk” is inherently subjective (qualitative)
MEASURING IT RISKS? Information security event: identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant.
 Occurrence of a particular set of circumstances.
 The event can be certain or uncertain. 
 The event can be a single occurrence or a series of occurrences. Information security incident: single or series of unwanted information security events that have a significant probability of compromising business operations and threatening information security
 An event that has been assessed as having an actual or potentially adverse effect on the security or performance of a system.
MEASURING IT RISKS? Impact: result of an unwanted incident Consequence: Outcome of an event
 There can be more than one consequence from one event. Consequences can range from positive to negative. 
 Consequences can be expressed qualitatively or quantitatively R = L × I
 Likelihood of a security incident occurrence is a function of the likelihood that a threat appears and likelihood that the threat can successfully exploit the relevant system vulnerabilities. Consequence of the occurrence of a security incident is a function of likely impact that the incident will have on the organization as a result of the harm the organization assets will sustain. Harm is related to the value of the assets to the organization; the same asset can have different values to different organizations.
MEASURING IT RISKS? R can be function of four factors: A = Value of the assets T = Likelihood of the threat V = Nature of vulnerability i.e. the likelihood that can be exploited (proportional to the potential benefit for the attacker and inversely proportional to the cost of exploitation) I = the likely impact, the extent of the harm
MEASURING IT RISKS? OWASP approach to IT risk Estimation of Likelihood in a 0 to 9 scale: Threat agent factors Vulnerability Factors Estimation of Impact in a 0 to 9 scale Technical Impact Factors Business Impact Factors
MEASURING IT RISKS? OWASP approach to IT risk Threat agent factors Skill level: How technically skilled is this group of threat agents? No technical skills (1), some technical skills (3), advanced computer user (4), network and programming skills (6), security penetration skills (9) Motive: How motivated is this group of threat agents to find and exploit this vulnerability? Low or no reward (1), possible reward (4), high reward (9) Opportunity: What resources and opportunity are required for this group of threat agents to find and exploit this vulnerability? full access or expensive resources required (0), special access or resources required (4), some access or resources required (7), no access or resources required (9) Size: How large is this group of threat agents? Developers (2), system administrators (2), intranet users (4), partners (5), authenticated users (6), anonymous Internet users (9)
MEASURING IT RISKS? OWASP approach to IT risk Vulnerability Factors: estimate the likelihood of the particular vulnerability involved being discovered and exploited. Assume the threat agent selected above. Ease of discovery: How easy is it for this group of threat agents to discover this vulnerability? Practically impossible (1), difficult (3), easy (7), automated tools available (9) Ease of exploit: How easy is it for this group of threat agents to actually exploit this vulnerability? Theoretical (1), difficult (3), easy (5), automated tools available (9) Awareness: How well known is this vulnerability to this group of threat agents? Unknown (1), hidden (4), obvious (6), public knowledge (9) Intrusion detection: How likely is an exploit to be detected? Active detection in application (1), logged and reviewed (3), logged without review (8), not logged (9)
MEASURING IT RISKS? OWASP approach to IT risk Technical Impact Factors; estimate the magnitude of the impact on the system if the vulnerability were to be exploited. Loss of confidentiality: How much data could be disclosed and how sensitive is it? Minimal non- sensitive data disclosed (2), minimal critical data disclosed (6), extensive non-sensitive data disclosed (6), extensive critical data disclosed (7), all data disclosed (9) Loss of integrity: How much data could be corrupted and how damaged is it? Minimal slightly corrupt data (1), minimal seriously corrupt data (3), extensive slightly corrupt data (5), extensive seriously corrupt data (7), all data totally corrupt (9) Loss of availability How much service could be lost and how vital is it? Minimal secondary services interrupted (1), minimal primary services interrupted (5), extensive secondary services interrupted (5), extensive primary services interrupted (7), all services completely lost (9) Loss of accountability: Are the threat agents' actions traceable to an individual? Fully traceable (1), possibly traceable (7), completely anonymous (9)
MEASURING IT RISKS? OWASP approach to IT risk Business Impact Factors: requires a deep understanding of what is important to the company running the application. Aiming to support risks with business impact, particularly if the audience is executive level. The business risk is what justifies investment in fixing security problems. Financial damage: How much financial damage will result from an exploit? Less than the cost to fix the vulnerability (1), minor effect on annual profit (3), significant effect on annual profit (7), bankruptcy (9) Reputation damage: Would an exploit result in reputation damage that would harm the business? Minimal damage (1), Loss of major accounts (4), loss of goodwill (5), brand damage (9) Non-compliance: How much exposure does non-compliance introduce? Minor violation (2), clear violation (5), high profile violation (7) Privacy violation: How much personally identifiable information could be disclosed? One individual (3), hundreds of people (5), thousands of people (7), millions of people (9)
24
MEASURING IT RISKS?
MEASURING IT RISKS?
MEASURING IT RISKS?
MEASURING IT RISKS?
WHO ARE THE STAKEHOLDERS? Big problem #3: 
 The risks that frighten people 
 are not the same ones that “kill” them.
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS? ?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHO ARE THE STAKEHOLDERS? Big problem #4: 
 Risks are difficult to compare across the board
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholders

Recommended

Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk
judythornell
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
EC-Council
 
Risk Management Methodology - Copy
Risk Management Methodology - CopyRisk Management Methodology - Copy
Risk Management Methodology - Copy
Rabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
introducing-MEA-Risk
introducing-MEA-Riskintroducing-MEA-Risk
introducing-MEA-Risk
Cyril Widdershoven
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategy
RapidSSLOnline.com
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...
Symantec
 
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
CMR WORLD TECH
 

Recommended

Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk
judythornell
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
EC-Council
 
Risk Management Methodology - Copy
Risk Management Methodology - CopyRisk Management Methodology - Copy
Risk Management Methodology - Copy
Rabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
introducing-MEA-Risk
introducing-MEA-Riskintroducing-MEA-Risk
introducing-MEA-Risk
Cyril Widdershoven
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategy
RapidSSLOnline.com
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...
Symantec
 
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
CMR WORLD TECH
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
FireEye, Inc.
 
VIPRE --Responding to Cyberattacks
VIPRE --Responding to CyberattacksVIPRE --Responding to Cyberattacks
VIPRE --Responding to Cyberattacks
Abhishek Sood
 
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
wardell henley
 
Ivanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability ManagementIvanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability Management
Ivanti
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
"Apolonio \"Apps\"" Garcia
 
Outsourcing
OutsourcingOutsourcing
Outsourcing
karlhennessy
 
Risk Analysis Webinar
Risk Analysis WebinarRisk Analysis Webinar
Risk Analysis Webinar
Jody Keyser
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk Metrics
Iftach Ian Amit
 
Managing Reputation
Managing ReputationManaging Reputation
Managing Reputation
Adrian Clements
 
Importance of Risk alert services in Business Continuity Planning
Importance of Risk alert services in Business Continuity PlanningImportance of Risk alert services in Business Continuity Planning
Importance of Risk alert services in Business Continuity Planning
Continuity and Resilience
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 
Information Security Risk Quantification
Information Security Risk QuantificationInformation Security Risk Quantification
Information Security Risk Quantification
Joel Baese
 
Eco secu infocom
Eco secu infocomEco secu infocom
Eco secu infocom
92pawansingh
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Mighty Guides, Inc.
 
Prieto Black Swans
Prieto Black SwansPrieto Black Swans
Prieto Black Swans
Bob Prieto
 
From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and Back
Iftach Ian Amit
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Tony Martin-Vegue
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
 
Root causes
Root causesRoot causes
Root causes
Glen Alleman
 
Brief overview on Microsoft Solution Framework (MSF)
Brief overview on Microsoft Solution Framework (MSF)Brief overview on Microsoft Solution Framework (MSF)
Brief overview on Microsoft Solution Framework (MSF)
Ahsan Kabir
 
Microsoft solutions framework
Microsoft solutions frameworkMicrosoft solutions framework
Microsoft solutions framework
santiago
 

More Related Content

What's hot

2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
FireEye, Inc.
 
VIPRE --Responding to Cyberattacks
VIPRE --Responding to CyberattacksVIPRE --Responding to Cyberattacks
VIPRE --Responding to Cyberattacks
Abhishek Sood
 
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
wardell henley
 
Ivanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability ManagementIvanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability Management
Ivanti
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
"Apolonio \"Apps\"" Garcia
 
Outsourcing
OutsourcingOutsourcing
Outsourcing
karlhennessy
 
Risk Analysis Webinar
Risk Analysis WebinarRisk Analysis Webinar
Risk Analysis Webinar
Jody Keyser
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk Metrics
Iftach Ian Amit
 
Managing Reputation
Managing ReputationManaging Reputation
Managing Reputation
Adrian Clements
 
Importance of Risk alert services in Business Continuity Planning
Importance of Risk alert services in Business Continuity PlanningImportance of Risk alert services in Business Continuity Planning
Importance of Risk alert services in Business Continuity Planning
Continuity and Resilience
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 
Information Security Risk Quantification
Information Security Risk QuantificationInformation Security Risk Quantification
Information Security Risk Quantification
Joel Baese
 
Eco secu infocom
Eco secu infocomEco secu infocom
Eco secu infocom
92pawansingh
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Mighty Guides, Inc.
 
Prieto Black Swans
Prieto Black SwansPrieto Black Swans
Prieto Black Swans
Bob Prieto
 
From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and Back
Iftach Ian Amit
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Tony Martin-Vegue
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
 
Root causes
Root causesRoot causes
Root causes
Glen Alleman
 

What's hot (20)

2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
 
VIPRE --Responding to Cyberattacks
VIPRE --Responding to CyberattacksVIPRE --Responding to Cyberattacks
VIPRE --Responding to Cyberattacks
 
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
 
Ivanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability ManagementIvanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability Management
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
 
Outsourcing
OutsourcingOutsourcing
Outsourcing
 
Risk Analysis Webinar
Risk Analysis WebinarRisk Analysis Webinar
Risk Analysis Webinar
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk Metrics
 
Managing Reputation
Managing ReputationManaging Reputation
Managing Reputation
 
Importance of Risk alert services in Business Continuity Planning
Importance of Risk alert services in Business Continuity PlanningImportance of Risk alert services in Business Continuity Planning
Importance of Risk alert services in Business Continuity Planning
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
 
Information Security Risk Quantification
Information Security Risk QuantificationInformation Security Risk Quantification
Information Security Risk Quantification
 
Eco secu infocom
Eco secu infocomEco secu infocom
Eco secu infocom
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
 
Prieto Black Swans
Prieto Black SwansPrieto Black Swans
Prieto Black Swans
 
From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and Back
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
 
Root causes
Root causesRoot causes
Root causes
 

Viewers also liked

Brief overview on Microsoft Solution Framework (MSF)
Brief overview on Microsoft Solution Framework (MSF)Brief overview on Microsoft Solution Framework (MSF)
Brief overview on Microsoft Solution Framework (MSF)
Ahsan Kabir
 
Microsoft solutions framework
Microsoft solutions frameworkMicrosoft solutions framework
Microsoft solutions framework
santiago
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
What's new in Visual Studio 2013 & TFS 2013
What's new in Visual Studio 2013 & TFS 2013What's new in Visual Studio 2013 & TFS 2013
What's new in Visual Studio 2013 & TFS 2013
Danijel Malik
 
Microsoft solutions framework
Microsoft solutions frameworkMicrosoft solutions framework
Microsoft solutions framework
mihaelaBouleanu
 
Patient management 1 /certified fixed orthodontic courses by Indian dental ac...
Patient management 1 /certified fixed orthodontic courses by Indian dental ac...Patient management 1 /certified fixed orthodontic courses by Indian dental ac...
Patient management 1 /certified fixed orthodontic courses by Indian dental ac...
Indian dental academy
 
MSF (Microsoft Solution Framework)
MSF (Microsoft Solution Framework)MSF (Microsoft Solution Framework)
MSF (Microsoft Solution Framework)
Deniz Kılınç
 
Business IT Management - Intro to CobiT & ITIL
Business IT Management - Intro to CobiT & ITILBusiness IT Management - Intro to CobiT & ITIL
Business IT Management - Intro to CobiT & ITIL
Ahmad Hafeezi
 
Sap health care patient management
Sap health care patient managementSap health care patient management
Sap health care patient management
Dr.K Pati
 
TFS Administration Overview
TFS Administration OverviewTFS Administration Overview
TFS Administration Overview
Steve Lange
 
Sap is utilities-cs
Sap is utilities-csSap is utilities-cs
Sap is utilities-cs
Ripunjay Rathaur
 
Visual Studio IDE
Visual Studio IDEVisual Studio IDE
Visual Studio IDE
Sayantan Sur
 
Microsoft Test Manager
Microsoft Test ManagerMicrosoft Test Manager
Microsoft Test Manager
MitchDenny
 
IT Governance Concept
IT Governance ConceptIT Governance Concept
IT Governance Concept
itgproduct
 
Agile project management with visual studio tfs 2013 - My presentation at Reg...
Agile project management with visual studio tfs 2013 - My presentation at Reg...Agile project management with visual studio tfs 2013 - My presentation at Reg...
Agile project management with visual studio tfs 2013 - My presentation at Reg...
Om Prakash Bang
 
Business management (1)
Business management (1)Business management (1)
Business management (1)
Amritha Kamath
 
IT Governance Introduction
IT Governance IntroductionIT Governance Introduction
IT Governance Introduction
Keith Rackley
 
Introduction to Team Foundation Server (TFS) Online
Introduction to Team Foundation Server (TFS) OnlineIntroduction to Team Foundation Server (TFS) Online
Introduction to Team Foundation Server (TFS) Online
Denis Voituron
 
Chap1 2007 Cisa Review Course
Chap1 2007 Cisa Review CourseChap1 2007 Cisa Review Course
Chap1 2007 Cisa Review Course
Desmond Devendran
 
How to implement effective ITSM System
How to implement effective ITSM SystemHow to implement effective ITSM System
How to implement effective ITSM System
Ana Meskovska
 

Viewers also liked (20)

Brief overview on Microsoft Solution Framework (MSF)
Brief overview on Microsoft Solution Framework (MSF)Brief overview on Microsoft Solution Framework (MSF)
Brief overview on Microsoft Solution Framework (MSF)
 
Microsoft solutions framework
Microsoft solutions frameworkMicrosoft solutions framework
Microsoft solutions framework
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
What's new in Visual Studio 2013 & TFS 2013
What's new in Visual Studio 2013 & TFS 2013What's new in Visual Studio 2013 & TFS 2013
What's new in Visual Studio 2013 & TFS 2013
 
Microsoft solutions framework
Microsoft solutions frameworkMicrosoft solutions framework
Microsoft solutions framework
 
Patient management 1 /certified fixed orthodontic courses by Indian dental ac...
Patient management 1 /certified fixed orthodontic courses by Indian dental ac...Patient management 1 /certified fixed orthodontic courses by Indian dental ac...
Patient management 1 /certified fixed orthodontic courses by Indian dental ac...
 
MSF (Microsoft Solution Framework)
MSF (Microsoft Solution Framework)MSF (Microsoft Solution Framework)
MSF (Microsoft Solution Framework)
 
Business IT Management - Intro to CobiT & ITIL
Business IT Management - Intro to CobiT & ITILBusiness IT Management - Intro to CobiT & ITIL
Business IT Management - Intro to CobiT & ITIL
 
Sap health care patient management
Sap health care patient managementSap health care patient management
Sap health care patient management
 
TFS Administration Overview
TFS Administration OverviewTFS Administration Overview
TFS Administration Overview
 
Sap is utilities-cs
Sap is utilities-csSap is utilities-cs
Sap is utilities-cs
 
Visual Studio IDE
Visual Studio IDEVisual Studio IDE
Visual Studio IDE
 
Microsoft Test Manager
Microsoft Test ManagerMicrosoft Test Manager
Microsoft Test Manager
 
IT Governance Concept
IT Governance ConceptIT Governance Concept
IT Governance Concept
 
Agile project management with visual studio tfs 2013 - My presentation at Reg...
Agile project management with visual studio tfs 2013 - My presentation at Reg...Agile project management with visual studio tfs 2013 - My presentation at Reg...
Agile project management with visual studio tfs 2013 - My presentation at Reg...
 
Business management (1)
Business management (1)Business management (1)
Business management (1)
 
IT Governance Introduction
IT Governance IntroductionIT Governance Introduction
IT Governance Introduction
 
Introduction to Team Foundation Server (TFS) Online
Introduction to Team Foundation Server (TFS) OnlineIntroduction to Team Foundation Server (TFS) Online
Introduction to Team Foundation Server (TFS) Online
 
Chap1 2007 Cisa Review Course
Chap1 2007 Cisa Review CourseChap1 2007 Cisa Review Course
Chap1 2007 Cisa Review Course
 
How to implement effective ITSM System
How to implement effective ITSM SystemHow to implement effective ITSM System
How to implement effective ITSM System
 

Similar to ISACA Reporting relevant IT risks to stakeholders

Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxRisk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docx
SUBHI7
 
Vulnerability Assessment ( Va )
Vulnerability Assessment ( Va )Vulnerability Assessment ( Va )
Vulnerability Assessment ( Va )
Monica Rivera
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsSatori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Dean Evans
 
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool StuffMeasurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Jody Keyser
 
Cybersecurity Risk Management Tools and Techniques (1).pptx
Cybersecurity Risk Management Tools and Techniques (1).pptxCybersecurity Risk Management Tools and Techniques (1).pptx
Cybersecurity Risk Management Tools and Techniques (1).pptx
ClintonKelvin
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
Cyber Security Alliance
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilience
Symantec
 
Assess risks to IT security.pptx
Assess risks to IT security.pptxAssess risks to IT security.pptx
Assess risks to IT security.pptx
lochanrajdahal
 
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool StuffMeasurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Patrick Florer
 
2016 trustwave global security report
2016 trustwave global security report2016 trustwave global security report
2016 trustwave global security report
Marco Antonio Agnese
 
Whitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest Minds
Whitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest MindsWhitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest Minds
Whitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest Minds
Happiest Minds Technologies
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptx
Chandan Singh Ghodela
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
PECB
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
Pentest-Tools.com
 
Cyber Threat Landscape- Security Posture - ver 1.0
Cyber Threat Landscape- Security Posture - ver 1.0Cyber Threat Landscape- Security Posture - ver 1.0
Cyber Threat Landscape- Security Posture - ver 1.0
Satyanandan Atyam
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
Resolver Inc.
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
AlienVault
 
Aon's Underrated Threats Report
Aon's Underrated Threats ReportAon's Underrated Threats Report
Aon's Underrated Threats Report
Graeme Cross
 
Application Risk and Reward: Protect the value you create
Application Risk and Reward: Protect the value you createApplication Risk and Reward: Protect the value you create
Application Risk and Reward: Protect the value you create
ssholst
 

Similar to ISACA Reporting relevant IT risks to stakeholders (20)

Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxRisk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docx
 
Vulnerability Assessment ( Va )
Vulnerability Assessment ( Va )Vulnerability Assessment ( Va )
Vulnerability Assessment ( Va )
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsSatori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
 
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool StuffMeasurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
 
Cybersecurity Risk Management Tools and Techniques (1).pptx
Cybersecurity Risk Management Tools and Techniques (1).pptxCybersecurity Risk Management Tools and Techniques (1).pptx
Cybersecurity Risk Management Tools and Techniques (1).pptx
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilience
 
Assess risks to IT security.pptx
Assess risks to IT security.pptxAssess risks to IT security.pptx
Assess risks to IT security.pptx
 
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool StuffMeasurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
 
2016 trustwave global security report
2016 trustwave global security report2016 trustwave global security report
2016 trustwave global security report
 
Whitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest Minds
Whitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest MindsWhitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest Minds
Whitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest Minds
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptx
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
 
Cyber Threat Landscape- Security Posture - ver 1.0
Cyber Threat Landscape- Security Posture - ver 1.0Cyber Threat Landscape- Security Posture - ver 1.0
Cyber Threat Landscape- Security Posture - ver 1.0
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Aon's Underrated Threats Report
Aon's Underrated Threats ReportAon's Underrated Threats Report
Aon's Underrated Threats Report
 
Application Risk and Reward: Protect the value you create
Application Risk and Reward: Protect the value you createApplication Risk and Reward: Protect the value you create
Application Risk and Reward: Protect the value you create
 

More from Marc Vael

How secure are chat and webconf tools
How secure are chat and webconf toolsHow secure are chat and webconf tools
How secure are chat and webconf tools
Marc Vael
 
my experience as ciso
my experience as cisomy experience as ciso
my experience as ciso
Marc Vael
 
Advantages of privacy by design in IoE
Advantages of privacy by design in IoEAdvantages of privacy by design in IoE
Advantages of privacy by design in IoE
Marc Vael
 
Cybersecurity governance existing frameworks (nov 2015)
Cybersecurity governance existing frameworks (nov 2015)Cybersecurity governance existing frameworks (nov 2015)
Cybersecurity governance existing frameworks (nov 2015)
Marc Vael
 
Cybersecurity nexus vision
Cybersecurity nexus visionCybersecurity nexus vision
Cybersecurity nexus vision
Marc Vael
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and audit
Marc Vael
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditing
Marc Vael
 
ISACA Internet of Things open forum presentation
ISACA Internet of Things open forum presentationISACA Internet of Things open forum presentation
ISACA Internet of Things open forum presentation
Marc Vael
 
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
Marc Vael
 
The value of big data analytics
The value of big data analyticsThe value of big data analytics
The value of big data analytics
Marc Vael
 
Social media risks and controls
Social media risks and controlsSocial media risks and controls
Social media risks and controls
Marc Vael
 
The view of auditor on cybercrime
The view of auditor on cybercrimeThe view of auditor on cybercrime
The view of auditor on cybercrime
Marc Vael
 
ISACA Mobile Payments Forum presentation
ISACA Mobile Payments Forum presentationISACA Mobile Payments Forum presentation
ISACA Mobile Payments Forum presentation
Marc Vael
 
Belgian Data Protection Commission's new audit programme
Belgian Data Protection Commission's new audit programmeBelgian Data Protection Commission's new audit programme
Belgian Data Protection Commission's new audit programme
Marc Vael
 
ISACA Cloud Computing Risks
ISACA Cloud Computing RisksISACA Cloud Computing Risks
ISACA Cloud Computing Risks
Marc Vael
 
Information security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handoutInformation security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handout
Marc Vael
 
ISACA smart security for smart devices
ISACA smart security for smart devicesISACA smart security for smart devices
ISACA smart security for smart devices
Marc Vael
 
Securing big data (july 2012)
Securing big data (july 2012)Securing big data (july 2012)
Securing big data (july 2012)
Marc Vael
 
Valuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handoutValuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handout
Marc Vael
 
How to handle multilayered IT security today
How to handle multilayered IT security todayHow to handle multilayered IT security today
How to handle multilayered IT security today
Marc Vael
 

More from Marc Vael (20)

How secure are chat and webconf tools
How secure are chat and webconf toolsHow secure are chat and webconf tools
How secure are chat and webconf tools
 
my experience as ciso
my experience as cisomy experience as ciso
my experience as ciso
 
Advantages of privacy by design in IoE
Advantages of privacy by design in IoEAdvantages of privacy by design in IoE
Advantages of privacy by design in IoE
 
Cybersecurity governance existing frameworks (nov 2015)
Cybersecurity governance existing frameworks (nov 2015)Cybersecurity governance existing frameworks (nov 2015)
Cybersecurity governance existing frameworks (nov 2015)
 
Cybersecurity nexus vision
Cybersecurity nexus visionCybersecurity nexus vision
Cybersecurity nexus vision
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and audit
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditing
 
ISACA Internet of Things open forum presentation
ISACA Internet of Things open forum presentationISACA Internet of Things open forum presentation
ISACA Internet of Things open forum presentation
 
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
 
The value of big data analytics
The value of big data analyticsThe value of big data analytics
The value of big data analytics
 
Social media risks and controls
Social media risks and controlsSocial media risks and controls
Social media risks and controls
 
The view of auditor on cybercrime
The view of auditor on cybercrimeThe view of auditor on cybercrime
The view of auditor on cybercrime
 
ISACA Mobile Payments Forum presentation
ISACA Mobile Payments Forum presentationISACA Mobile Payments Forum presentation
ISACA Mobile Payments Forum presentation
 
Belgian Data Protection Commission's new audit programme
Belgian Data Protection Commission's new audit programmeBelgian Data Protection Commission's new audit programme
Belgian Data Protection Commission's new audit programme
 
ISACA Cloud Computing Risks
ISACA Cloud Computing RisksISACA Cloud Computing Risks
ISACA Cloud Computing Risks
 
Information security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handoutInformation security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handout
 
ISACA smart security for smart devices
ISACA smart security for smart devicesISACA smart security for smart devices
ISACA smart security for smart devices
 
Securing big data (july 2012)
Securing big data (july 2012)Securing big data (july 2012)
Securing big data (july 2012)
 
Valuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handoutValuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handout
 
How to handle multilayered IT security today
How to handle multilayered IT security todayHow to handle multilayered IT security today
How to handle multilayered IT security today
 

Recently uploaded

intra-mart Accel series 2024 Spring updates_En
intra-mart Accel series 2024 Spring updates_Enintra-mart Accel series 2024 Spring updates_En
intra-mart Accel series 2024 Spring updates_En
NTTDATA INTRAMART
 
The "Zen" of Python Exemplars - OTel Community Day
The "Zen" of Python Exemplars - OTel Community DayThe "Zen" of Python Exemplars - OTel Community Day
The "Zen" of Python Exemplars - OTel Community Day
Paige Cruz
 
ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes New Product Features and Release Highlights: June 2024ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes
 
Move Auth, Policy, and Resilience to the Platform
Move Auth, Policy, and Resilience to the PlatformMove Auth, Policy, and Resilience to the Platform
Move Auth, Policy, and Resilience to the Platform
Christian Posta
 
Cyber Recovery Wargame
Cyber Recovery WargameCyber Recovery Wargame
Cyber Recovery Wargame
Databarracks
 
CTO Insights: Steering a High-Stakes Database Migration
CTO Insights: Steering a High-Stakes Database MigrationCTO Insights: Steering a High-Stakes Database Migration
CTO Insights: Steering a High-Stakes Database Migration
ScyllaDB
 
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
TrustArc
 
Day 4 - Excel Automation and Data Manipulation
Day 4 - Excel Automation and Data ManipulationDay 4 - Excel Automation and Data Manipulation
Day 4 - Excel Automation and Data Manipulation
UiPathCommunity
 
How to Optimize Call Monitoring: Automate QA and Elevate Customer Experience
How to Optimize Call Monitoring: Automate QA and Elevate Customer ExperienceHow to Optimize Call Monitoring: Automate QA and Elevate Customer Experience
How to Optimize Call Monitoring: Automate QA and Elevate Customer Experience
Aggregage
 
Call Girls Chennai ☎️ +91-7426014248 😍 Chennai Call Girl Beauty Girls Chennai...
Call Girls Chennai ☎️ +91-7426014248 😍 Chennai Call Girl Beauty Girls Chennai...Call Girls Chennai ☎️ +91-7426014248 😍 Chennai Call Girl Beauty Girls Chennai...
Call Girls Chennai ☎️ +91-7426014248 😍 Chennai Call Girl Beauty Girls Chennai...
anilsa9823
 
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
manji sharman06
 
Introduction to ThousandEyes AMER Webinar
Introduction to ThousandEyes AMER WebinarIntroduction to ThousandEyes AMER Webinar
Introduction to ThousandEyes AMER Webinar
ThousandEyes
 
Product Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdfProduct Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdf
gaydlc2513
 
Radically Outperforming DynamoDB @ Digital Turbine with SADA and Google Cloud
Radically Outperforming DynamoDB @ Digital Turbine with SADA and Google CloudRadically Outperforming DynamoDB @ Digital Turbine with SADA and Google Cloud
Radically Outperforming DynamoDB @ Digital Turbine with SADA and Google Cloud
ScyllaDB
 
Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0
Neeraj Kumar Singh
 
Automation Student Developers Session 3: Introduction to UI Automation
Automation Student Developers Session 3: Introduction to UI AutomationAutomation Student Developers Session 3: Introduction to UI Automation
Automation Student Developers Session 3: Introduction to UI Automation
UiPathCommunity
 
Getting Started Using the National Research Platform
Getting Started Using the National Research PlatformGetting Started Using the National Research Platform
Getting Started Using the National Research Platform
Larry Smarr
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
AlexanderRichford
 
DynamoDB to ScyllaDB: Technical Comparison and the Path to Success
DynamoDB to ScyllaDB: Technical Comparison and the Path to SuccessDynamoDB to ScyllaDB: Technical Comparison and the Path to Success
DynamoDB to ScyllaDB: Technical Comparison and the Path to Success
ScyllaDB
 
MongoDB vs ScyllaDB: Tractian’s Experience with Real-Time ML
MongoDB vs ScyllaDB: Tractian’s Experience with Real-Time MLMongoDB vs ScyllaDB: Tractian’s Experience with Real-Time ML
MongoDB vs ScyllaDB: Tractian’s Experience with Real-Time ML
ScyllaDB
 

Recently uploaded (20)

intra-mart Accel series 2024 Spring updates_En
intra-mart Accel series 2024 Spring updates_Enintra-mart Accel series 2024 Spring updates_En
intra-mart Accel series 2024 Spring updates_En
 
The "Zen" of Python Exemplars - OTel Community Day
The "Zen" of Python Exemplars - OTel Community DayThe "Zen" of Python Exemplars - OTel Community Day
The "Zen" of Python Exemplars - OTel Community Day
 
ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes New Product Features and Release Highlights: June 2024ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes New Product Features and Release Highlights: June 2024
 
Move Auth, Policy, and Resilience to the Platform
Move Auth, Policy, and Resilience to the PlatformMove Auth, Policy, and Resilience to the Platform
Move Auth, Policy, and Resilience to the Platform
 
Cyber Recovery Wargame
Cyber Recovery WargameCyber Recovery Wargame
Cyber Recovery Wargame
 
CTO Insights: Steering a High-Stakes Database Migration
CTO Insights: Steering a High-Stakes Database MigrationCTO Insights: Steering a High-Stakes Database Migration
CTO Insights: Steering a High-Stakes Database Migration
 
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
 
Day 4 - Excel Automation and Data Manipulation
Day 4 - Excel Automation and Data ManipulationDay 4 - Excel Automation and Data Manipulation
Day 4 - Excel Automation and Data Manipulation
 
How to Optimize Call Monitoring: Automate QA and Elevate Customer Experience
How to Optimize Call Monitoring: Automate QA and Elevate Customer ExperienceHow to Optimize Call Monitoring: Automate QA and Elevate Customer Experience
How to Optimize Call Monitoring: Automate QA and Elevate Customer Experience
 
Call Girls Chennai ☎️ +91-7426014248 😍 Chennai Call Girl Beauty Girls Chennai...
Call Girls Chennai ☎️ +91-7426014248 😍 Chennai Call Girl Beauty Girls Chennai...Call Girls Chennai ☎️ +91-7426014248 😍 Chennai Call Girl Beauty Girls Chennai...
Call Girls Chennai ☎️ +91-7426014248 😍 Chennai Call Girl Beauty Girls Chennai...
 
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
 
Introduction to ThousandEyes AMER Webinar
Introduction to ThousandEyes AMER WebinarIntroduction to ThousandEyes AMER Webinar
Introduction to ThousandEyes AMER Webinar
 
Product Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdfProduct Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdf
 
Radically Outperforming DynamoDB @ Digital Turbine with SADA and Google Cloud
Radically Outperforming DynamoDB @ Digital Turbine with SADA and Google CloudRadically Outperforming DynamoDB @ Digital Turbine with SADA and Google Cloud
Radically Outperforming DynamoDB @ Digital Turbine with SADA and Google Cloud
 
Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0
 
Automation Student Developers Session 3: Introduction to UI Automation
Automation Student Developers Session 3: Introduction to UI AutomationAutomation Student Developers Session 3: Introduction to UI Automation
Automation Student Developers Session 3: Introduction to UI Automation
 
Getting Started Using the National Research Platform
Getting Started Using the National Research PlatformGetting Started Using the National Research Platform
Getting Started Using the National Research Platform
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
 
DynamoDB to ScyllaDB: Technical Comparison and the Path to Success
DynamoDB to ScyllaDB: Technical Comparison and the Path to SuccessDynamoDB to ScyllaDB: Technical Comparison and the Path to Success
DynamoDB to ScyllaDB: Technical Comparison and the Path to Success
 
MongoDB vs ScyllaDB: Tractian’s Experience with Real-Time ML
MongoDB vs ScyllaDB: Tractian’s Experience with Real-Time MLMongoDB vs ScyllaDB: Tractian’s Experience with Real-Time ML
MongoDB vs ScyllaDB: Tractian’s Experience with Real-Time ML
 

ISACA Reporting relevant IT risks to stakeholders

  • 1. REPORTING RELEVANT IT RISKS TO STAKEHOLDERS Marc Vael, Brussels, 24 June 2015
  • 2. WHO ARE THE STAKEHOLDERS? Stakeholders can affect or be affected by the organization's actions, objectives and policies. Examples of key stakeholders are creditors, directors, employees, government (and its agencies), owners (shareholders), suppliers, unions, and the community from which the business draws its resources.
  • 3. WHO ARE THE STAKEHOLDERS?
  • 4. WHO ARE THE STAKEHOLDERS?
  • 5. WHO ARE THE STAKEHOLDERS?
  • 6. WHO ARE THE STAKEHOLDERS?
  • 7. WHO ARE THE STAKEHOLDERS? Big problem #1: 
 Stakeholders all speak different “languages
  • 8. WHAT ARE RELEVANT IT RISKS? Information technology risk / IT risk / IT-related risk is the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. Assessing the probability of likelihood of various types of event/incident with their predicted impacts or consequences should they occur is a common way to assess and measure IT risks. 
 Alternative methods of measuring IT risk typically involve assessing other contributory factors such as the threats, vulnerabilities, exposures, and asset values. IT risk has a broader meaning: it encompasses not just only the negative impact of operations and service delivery which can bring destruction or reduction of the value of the organization, but also the benefitvalue enabling risk associated to missing opportunities to use technology to enable or enhance business or the IT project management for aspects like overspending or late delivery with adverse business impact.
  • 9. WHO ARE THE STAKEHOLDERS? Big problem #2: 
 “Risk” is inherently subjective (qualitative)
  • 10. MEASURING IT RISKS? Information security event: identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant.
 Occurrence of a particular set of circumstances.
 The event can be certain or uncertain. 
 The event can be a single occurrence or a series of occurrences. Information security incident: single or series of unwanted information security events that have a significant probability of compromising business operations and threatening information security
 An event that has been assessed as having an actual or potentially adverse effect on the security or performance of a system.
  • 11. MEASURING IT RISKS? Impact: result of an unwanted incident Consequence: Outcome of an event
 There can be more than one consequence from one event. Consequences can range from positive to negative. 
 Consequences can be expressed qualitatively or quantitatively R = L × I
 Likelihood of a security incident occurrence is a function of the likelihood that a threat appears and likelihood that the threat can successfully exploit the relevant system vulnerabilities. Consequence of the occurrence of a security incident is a function of likely impact that the incident will have on the organization as a result of the harm the organization assets will sustain. Harm is related to the value of the assets to the organization; the same asset can have different values to different organizations.
  • 12. MEASURING IT RISKS? R can be function of four factors: A = Value of the assets T = Likelihood of the threat V = Nature of vulnerability i.e. the likelihood that can be exploited (proportional to the potential benefit for the attacker and inversely proportional to the cost of exploitation) I = the likely impact, the extent of the harm
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19. MEASURING IT RISKS? OWASP approach to IT risk Estimation of Likelihood in a 0 to 9 scale: Threat agent factors Vulnerability Factors Estimation of Impact in a 0 to 9 scale Technical Impact Factors Business Impact Factors
  • 20. MEASURING IT RISKS? OWASP approach to IT risk Threat agent factors Skill level: How technically skilled is this group of threat agents? No technical skills (1), some technical skills (3), advanced computer user (4), network and programming skills (6), security penetration skills (9) Motive: How motivated is this group of threat agents to find and exploit this vulnerability? Low or no reward (1), possible reward (4), high reward (9) Opportunity: What resources and opportunity are required for this group of threat agents to find and exploit this vulnerability? full access or expensive resources required (0), special access or resources required (4), some access or resources required (7), no access or resources required (9) Size: How large is this group of threat agents? Developers (2), system administrators (2), intranet users (4), partners (5), authenticated users (6), anonymous Internet users (9)
  • 21. MEASURING IT RISKS? OWASP approach to IT risk Vulnerability Factors: estimate the likelihood of the particular vulnerability involved being discovered and exploited. Assume the threat agent selected above. Ease of discovery: How easy is it for this group of threat agents to discover this vulnerability? Practically impossible (1), difficult (3), easy (7), automated tools available (9) Ease of exploit: How easy is it for this group of threat agents to actually exploit this vulnerability? Theoretical (1), difficult (3), easy (5), automated tools available (9) Awareness: How well known is this vulnerability to this group of threat agents? Unknown (1), hidden (4), obvious (6), public knowledge (9) Intrusion detection: How likely is an exploit to be detected? Active detection in application (1), logged and reviewed (3), logged without review (8), not logged (9)
  • 22. MEASURING IT RISKS? OWASP approach to IT risk Technical Impact Factors; estimate the magnitude of the impact on the system if the vulnerability were to be exploited. Loss of confidentiality: How much data could be disclosed and how sensitive is it? Minimal non- sensitive data disclosed (2), minimal critical data disclosed (6), extensive non-sensitive data disclosed (6), extensive critical data disclosed (7), all data disclosed (9) Loss of integrity: How much data could be corrupted and how damaged is it? Minimal slightly corrupt data (1), minimal seriously corrupt data (3), extensive slightly corrupt data (5), extensive seriously corrupt data (7), all data totally corrupt (9) Loss of availability How much service could be lost and how vital is it? Minimal secondary services interrupted (1), minimal primary services interrupted (5), extensive secondary services interrupted (5), extensive primary services interrupted (7), all services completely lost (9) Loss of accountability: Are the threat agents' actions traceable to an individual? Fully traceable (1), possibly traceable (7), completely anonymous (9)
  • 23. MEASURING IT RISKS? OWASP approach to IT risk Business Impact Factors: requires a deep understanding of what is important to the company running the application. Aiming to support risks with business impact, particularly if the audience is executive level. The business risk is what justifies investment in fixing security problems. Financial damage: How much financial damage will result from an exploit? Less than the cost to fix the vulnerability (1), minor effect on annual profit (3), significant effect on annual profit (7), bankruptcy (9) Reputation damage: Would an exploit result in reputation damage that would harm the business? Minimal damage (1), Loss of major accounts (4), loss of goodwill (5), brand damage (9) Non-compliance: How much exposure does non-compliance introduce? Minor violation (2), clear violation (5), high profile violation (7) Privacy violation: How much personally identifiable information could be disclosed? One individual (3), hundreds of people (5), thousands of people (7), millions of people (9)
  • 24. 24
  • 29.
  • 30.
  • 31. WHO ARE THE STAKEHOLDERS? Big problem #3: 
 The risks that frighten people 
 are not the same ones that “kill” them.
  • 32. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS? ?
  • 33. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 34. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 35. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 36. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 37. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 38. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 39. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 40. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 41. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 42. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 43. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 44. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 45. WHO ARE THE STAKEHOLDERS? Big problem #4: 
 Risks are difficult to compare across the board
  • 46. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 47. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 48. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 49. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 50. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 51. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 52. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 53. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 54. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  • 55. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?
  翻译: