类别 全部 - processes - methodologies - leadership - resources

作者:r r 2 年以前

310

Certified Risk Manager

Risk management in information security involves structured methodologies and frameworks to identify, assess, and mitigate risks. Key to this process is the alignment of Information Security Management Systems (

Certified Risk Manager

Controls

Administrative

Legal

Managerial

Standards & Methodolgy

Certified Risk Manager

Domain 3: Information security risk management framework and process based on ISO/IEC 27005

Risk Acceptance
7.1 Accept the Risk Treatment Plan

Presenting to mgmt

Risk Owners to accept

Residual Risk

Risk Treatment
Risk Assessment Using a Quantitative Method
Risk Evaluation
Risk Analysis
Risk Identification
Activities to identify

Identify Consequences/Impact

Identify Vulnerabilities

existing controls

Threats ISO/IEC 27005, clause 8.2.3

3.1 Assets

Information Gathering Techniques

Scanning Tools

Code Review

Pen testing

Vulnerability scanning

Documentation Review

Interviews

cover all subjects

take notes

Open-ended questions and clarify responses

Questionanaires

DOMAIN 4: Other information security risk assessment methods

Methodologies
Subtopic
Efficient Communication Strategy

DOMAIN 1 Fundamental principles and concepts of information security risk management

2. Context Establishment
2.5 Define the Scope and Boundaries - clause 7.3

Constraints - Annex A.3

Organisational

managerial

development

admin

Maintenance

Operation

Methods

Time

Environmental

Financial

Technical

Interfaces have to be taken into account

Exclusions have to be justified and documented

2.4 Determine the Basic Criteria

Risk Acceptance (clause 7.2.4) Annex E 2.2

Quantitative or Qualitative

Acceptance Maintenance Criteria

technology

social and humanitarian factors

finance

operations

business criteria

Impacts (to the org caused by an info sec event)

impairment of operations (internal or 3rd party)

breaches of info sec (CIA)

damage to rep

classificaion of impacted info asset

Evaluation of Risk (clause 7.2.2)

stakeholders' expectations and perceptions

operational and business importance of CIA

criticality of the info assets involved

strategic value of business info process

2.3 Determine the Objectives (of the risk management activity)

Internal Polocies

Market

Standards

Laws and Regulations

2.2 Identification and Analysis of Stakeholders
2.1 Understanding the Organisations Context

Establish Internal and External Context

Strategies

Ask people "what keeps you up and night?"

STEP (Social, Technical, Economical, Political)

PEST (Political, Economic, Social, Technological)

SWOT (Strengths Weaknesses, Opportunties, Threats)

Understand Key Processes

Objectives

Values

Mission

Risk Management Objectives

1. Risk Management Program
1.10 Provide the Resources - clause 7.1
1.9 Plan Activities for Risk Assessment
1.8 Select a Risk Assessment Methodology

CRAMM

NIST 800-30

MEHARI

OCTAVE

1.7 Select and Information Assessment Approach

Output

List of assessed risks that are prioritsed

Action

Risks Idenified, quantitavely or qualitiively

Input

Scope

1.6 Implement a Risk Management Process - clause 7.4
1.5 Establish a Risk Management Policy

Is readily available within the organisation

Becomes part of the culture of the organisation

1.4 Ensure Accountability

Identify individuals who have the accountability and authority to manage risk

Risk Management = core business responsibility

1.3 Define Responsibilites of Principal Stakeholders

Internal audit

Public relations

Legal service

regulatory and contractual

IT Technician

implement technical solutions for measuring and managing the daily operations

Info Sec

Identify controls to manage risk

HR

Finance

Cost/Benefit analysis

Top Mgmt

1.2 Assign Responsibility for Risk Management

Assign to roles

1.1 Demonstrate Leadership and Commitment

Support from senior leaders

Demming
Alignment of ISMS and Information Security Risk Management Process

Information Security Risk Management Framework and processes based on ISO/IEC 27005

Annexes are very good
clause 7-12