Establishing Effective Risk Management Frameworks
•
1 j'aime•1,189 vues
Ahmed Baig, CISO at Abu Dhabi Government Entity spoke at the CIO Middle East Event April 2013
Recommandé
Recommandé
Contenu connexe
En vedette
Similaire à Establishing Effective Risk Management Frameworks
Similaire à Establishing Effective Risk Management Frameworks (20)
Plus de Global Business Events
Plus de Global Business Events (20)
Dernier
Dernier (20)
Establishing Effective Risk Management Frameworks
- 1. Ahmed Qurram Baig Information Security & GRC Expert ESTABLISHING EFFECTIVE RISK MANAGEMENT FRAMEWORK FOR COMPLIANCE Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat. - Sun Tzu
- 2. AGENDA • Challenges & benefits of information security governance • Characteristics of an effective information security governance program • Discussing industry’s best practices and steps in the information security program lifecycle Ahmed Qurram Baig, Copyright, 2013.
- 3. CHALLENGES TO RISK MANAGEMENT & GOVERNANCE • Balancing extensive requirements originating from multiple governing bodies. • Balancing legislation and company specific policy. • Evolution to support different requirements and new legislation. • Prioritizing available funding according to requirements introduced. Ahmed Qurram Baig, Copyright, 2012.
- 4. BENEFITS OF RISK MANAGEMENT & GOVERNANCE • Strategic Alignment • Risk Management • Convergence & Business Process Assurance • Resources Management: • Governance provides clarity of roles and responsibilities • Governance empower people responsible with authority • Monitoring & Performance Measurement • Value Delivery Ahmed Qurram Baig, Copyright, 2012.
- 5. INFORMATION SECURITY, RISK & GOVERNANCE FRAMEWORK Strategic Planning Business Strategy Risk Management / Information Security Strategy Organization Structure Roles and Responsibilities Enterprise Security Architecture Implementation Policies and Standards Guidance Senior Management Steering Committee & Executive Management ERM / CISO / Steering Committee or Information Security Forum Monitoring&Reporting Risk Assessment Business Impact Analysis Business & Regulatory Requirement Ahmed Qurram Baig, Copyright, 2012.
- 6. STEPS : INFORMATION SECURITY FOR RISK MANAGEMENT, GOVERNANCE & COMPLIANCE Ahmed Qurram Baig, Copyright, 2012. Define and enumerate the desired outcomes Assess current security and required state Describe the attributes and characteristics of current and desired state Perform a gap analysis to identify prerequisites to reach the desired state Determine available resources and constraints Develop a roadmap to address gaps using available resources and constraints Develop control objectives and controls supporting strategy
- 7. ENTERPRISE SECURITY ARCHITECTURE & RISK MANAGEMENT Business Architecture Business & Services Information Systems Employees & Third Party Staff Locations & Facilities Data Application Host Network Roles and Responsibilities Authority Matrix Recruitment Process Disciplinary Process Access Management Security Awareness Goals and Objectives KPI & KRI (Key Risk Indicators) Regulations & Compliance Physical Security A s s u r a n c e Technology Security Ahmed Qurram Baig, Copyright, 2012. Policies and Standards Risk Management Security Architecture
- 8. INFORMATION SECURITY & RISK MANAGEMENT ACTIVITIES Governance and Strategic Security • Security Program Management • Policies/Procedures Creation and Review • Enterprise Security Architecture • Audit & Compliance Readiness Operational Security • Security Operations • Incident & Breach response • Penetration Testing • Vulnerability Scanning / (Management) • Software and Application Security Risk Management • Independent Assessments • Continuous Monitoring & Reporting Ahmed Qurram Baig, Copyright, 2012. SecurityAwareness&Education People Process Technology Partners
- 9. THANK YOU. Q & A
Notes de l'éditeur
- CISOHeading an office with the mission and resources to assist in ensuring agency compliance with information security requirements; Periodically assessing risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency; Developing and maintaining risk-based, cost-effective information security policies, procedures, and control techniques to address all applicable requirements throughout the life cycle of each agency information system to ensure compliance with applicable requirements; Facilitating development of subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems; Ensuring that agency personnel, including contractors, receive appropriate information security awareness training; Training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; Periodically testing and evaluating the effectiveness of information security policies, procedures, and practices; Establishing and maintaining a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency; Developing and implementing procedures for detecting, reporting, and responding to security incidents; Ensuring preparation and maintenance of plans and procedures to provide continuity of operations for information systems that support the operations and assets of the agency; and Supporting the agency CIO in annual reporting to the agency head on the effectiveness of the agency information security program, including progress of remedial actions.