Information Risk Management
ensuring secure and reliable corporate computing
Things Can Go Wrong Imagine: Your purchase system makes you overpay a crore a year Your competitor knows all about your ‘unique’ product All your emails are read by the person in opposite cubicle or, worse, the taxman!
Information risk needs attention IT,
in most organisations, has grown organically Islands of IT Just too many promises Excuses, excuses, excuses Is IT investment paying off?
Aspects of Information Risk Management Control Security Reliability Operational
Efficiency Business Continuity ROI Compliance
Risk and Control The
central concept Anticipating what can go wrong Prevention of ‘incidents’ Being prepared
Information Systems Security
Acts of God
tia en id
Co nf
ity gr te
Hackers etc.
Information Assets
In
Human Errors, Accidents
lit
y
Competitors, Adversaries
Manipulating Processes
Availability
Threats To IS Security
Buggy/ Not Well Designed Software Lack of Operational Controls Casual attitude towards systems security Vendor Stability Environmental Hazards Accident/ Errors Malicious Attacks – – – – –
Hacking DOS Social Engineering Insiders Virus, etc.
IS Policies & Procedures The
first and most critical component to any IS risk management programme Sets a baseline from which to operate Communicates management’s intent Describes acceptable uses of various systems, expectations from users. Based on ‘Best Practices’ Establishes framework for Business Continuity and Disaster Recovery
Risk Management Life Cycle Analyse Current State
Organisation Objectives
Risk Assessm ent
Assess
Business Processes
Review Anticipate
Technologica l Capabilities
Policy Gap Analysis
Implement
Visualise Maintain
External Environment Monitor Revise
Formulate
Roadmap IT
Strategy Comprehensive risk assessment Establishment of control framework IT Policy Security implementation User awareness and training Audit