New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Establishing Effective Risk Management Frameworks
1. Ahmed Qurram Baig
Information Security & GRC Expert
ESTABLISHING EFFECTIVE RISK MANAGEMENT
FRAMEWORK FOR COMPLIANCE
Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat. - Sun Tzu
2. AGENDA
• Challenges & benefits of information security
governance
• Characteristics of an effective information security
governance program
• Discussing industry’s best practices and steps in the
information security program lifecycle
Ahmed Qurram Baig, Copyright, 2013.
3. CHALLENGES TO RISK MANAGEMENT & GOVERNANCE
• Balancing extensive requirements originating from
multiple governing bodies.
• Balancing legislation and company specific policy.
• Evolution to support different requirements and new
legislation.
• Prioritizing available funding according to requirements
introduced.
Ahmed Qurram Baig, Copyright, 2012.
4. BENEFITS OF RISK MANAGEMENT & GOVERNANCE
• Strategic Alignment
• Risk Management
• Convergence & Business Process Assurance
• Resources Management:
• Governance provides clarity of roles and responsibilities
• Governance empower people responsible with authority
• Monitoring & Performance Measurement
• Value Delivery
Ahmed Qurram Baig, Copyright, 2012.
5. INFORMATION SECURITY, RISK & GOVERNANCE FRAMEWORK
Strategic
Planning
Business
Strategy
Risk Management / Information
Security Strategy
Organization
Structure
Roles and
Responsibilities
Enterprise Security
Architecture
Implementation
Policies and Standards Guidance
Senior Management
Steering Committee &
Executive Management
ERM / CISO / Steering Committee or Information Security Forum
Monitoring&Reporting
Risk
Assessment
Business
Impact
Analysis
Business &
Regulatory
Requirement
Ahmed Qurram Baig, Copyright, 2012.
6. STEPS : INFORMATION SECURITY FOR RISK MANAGEMENT, GOVERNANCE &
COMPLIANCE
Ahmed Qurram Baig, Copyright, 2012.
Define and enumerate the desired outcomes
Assess current security and required state
Describe the attributes and characteristics of current and desired state
Perform a gap analysis to identify prerequisites to reach the desired state
Determine available resources and constraints
Develop a roadmap to address gaps using available resources and constraints
Develop control objectives and controls supporting strategy
7. ENTERPRISE SECURITY ARCHITECTURE & RISK MANAGEMENT
Business Architecture
Business & Services Information Systems
Employees & Third
Party Staff
Locations & Facilities
Data
Application
Host
Network
Roles and Responsibilities
Authority Matrix
Recruitment Process
Disciplinary Process
Access Management
Security Awareness
Goals and Objectives
KPI & KRI (Key Risk
Indicators)
Regulations &
Compliance
Physical Security
A s s u r a n c e
Technology Security
Ahmed Qurram Baig, Copyright, 2012.
Policies and
Standards
Risk Management Security Architecture
8. INFORMATION SECURITY & RISK MANAGEMENT ACTIVITIES
Governance and Strategic Security
• Security Program Management
• Policies/Procedures Creation and Review
• Enterprise Security Architecture
• Audit & Compliance Readiness
Operational Security
• Security Operations
• Incident & Breach response
• Penetration Testing
• Vulnerability Scanning / (Management)
• Software and Application Security
Risk Management
• Independent Assessments
• Continuous Monitoring & Reporting
Ahmed Qurram Baig, Copyright, 2012.
SecurityAwareness&Education
People Process Technology Partners
CISOHeading an office with the mission and resources to assist in ensuring agency compliance with information security requirements; Periodically assessing risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency; Developing and maintaining risk-based, cost-effective information security policies, procedures, and control techniques to address all applicable requirements throughout the life cycle of each agency information system to ensure compliance with applicable requirements; Facilitating development of subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems; Ensuring that agency personnel, including contractors, receive appropriate information security awareness training; Training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; Periodically testing and evaluating the effectiveness of information security policies, procedures, and practices; Establishing and maintaining a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency; Developing and implementing procedures for detecting, reporting, and responding to security incidents; Ensuring preparation and maintenance of plans and procedures to provide continuity of operations for information systems that support the operations and assets of the agency; and Supporting the agency CIO in annual reporting to the agency head on the effectiveness of the agency information security program, including progress of remedial actions.