arabera r r 2 years ago
303
Honelako gehiago
Presenting to mgmt
Risk Owners to accept
Residual Risk
Identify Consequences/Impact
Identify Vulnerabilities
existing controls
Threats ISO/IEC 27005, clause 8.2.3
3.1 Assets
Scanning Tools
Code Review
Pen testing
Vulnerability scanning
Documentation Review
Interviews
cover all subjects
take notes
Open-ended questions and clarify responses
Questionanaires
Constraints - Annex A.3
Organisational
managerial
development
admin
Maintenance
Operation
Methods
Time
Environmental
Financial
Technical
Interfaces have to be taken into account
Exclusions have to be justified and documented
Risk Acceptance (clause 7.2.4) Annex E 2.2
Quantitative or Qualitative
Acceptance Maintenance Criteria
technology
social and humanitarian factors
finance
operations
business criteria
Impacts (to the org caused by an info sec event)
impairment of operations (internal or 3rd party)
breaches of info sec (CIA)
damage to rep
classificaion of impacted info asset
Evaluation of Risk (clause 7.2.2)
stakeholders' expectations and perceptions
operational and business importance of CIA
criticality of the info assets involved
strategic value of business info process
Internal Polocies
Market
Standards
Laws and Regulations
Establish Internal and External Context
Strategies
Ask people "what keeps you up and night?"
STEP (Social, Technical, Economical, Political)
PEST (Political, Economic, Social, Technological)
SWOT (Strengths Weaknesses, Opportunties, Threats)
Understand Key Processes
Objectives
Values
Mission
Risk Management Objectives
CRAMM
NIST 800-30
MEHARI
OCTAVE
Output
List of assessed risks that are prioritsed
Action
Risks Idenified, quantitavely or qualitiively
Input
Scope
Is readily available within the organisation
Becomes part of the culture of the organisation
Identify individuals who have the accountability and authority to manage risk
Risk Management = core business responsibility
Internal audit
Public relations
Legal service
regulatory and contractual
IT Technician
implement technical solutions for measuring and managing the daily operations
Info Sec
Identify controls to manage risk
HR
Finance
Cost/Benefit analysis
Top Mgmt
Assign to roles
Support from senior leaders