Key pillars for effective risk management
-
Upload
ramana-k-v -
Category
Business
-
view
85 -
download
0
Transcript of Key pillars for effective risk management
KEY PILLARS FOR EFFECTIVE RISK MANAGEMENT
Ramana Krothapalli
Living at risk is jumping off the cliff and building your wings on the way downRay Bradbury
AGENDA Information Security & Risk Management Current Information Security Scenario Key pillars of effective Risk Management Risk Management Standards & Frameworks
INFORMATION SECURITY & RISK MANAGEMENT Information Security
More focused on technology business Compliance driven Identify risks Define controls Monitor controls
Information Risk Management Areas to be secured Business value & business impact Compliance & strategy Structured approach Provides decision makers with information Does not make decisions for business
CURRENT INFORMATION SECURITY SCENARIO
KEY PILLARS OF EFFECTIVE RISK MANAGEMENT
KEY PILLARS OF EFFECTIVE RISK MANAGEMENT Culture
Contributes to the success of Risk Management Acceptable risk seeking behaviour Communicating appropriate norms, values & expectations
of ethical behaviour Leadership
Provides vision, goals and strategy for Risk Management Models for the desired behaviour
KEY PILLARS OF EFFECTIVE RISK MANAGEMENT Alignment
Ensures leadership reinforces cultural norms Systems support appropriate structures Risk Management is integrated with governance and strategy
making Structure
Standards, Frameworks Provides a formal framework for the necessary responsibilities Structures of reporting lines, roles, teams & committees
Systems Information Technology Knowledge Management Accounting and financial controls
*Drew, Kelley and, Kendrick (2006)
RISK MANAGEMENT STANDARDS & FRAMEWORKS NIST SP 800 Series
NIST SP 800-39 – Managing Information Security Risk, released in 2011 (Supersedes NIST SP800-30)
Provides guidance for an integrated, organization-wide program for managing information security risk to organizational operations
MULTITIERED RISK MANAGEMENT NIST SP 800-30 revised in 2012 (Guide
for conducting Risk Assessments)
ISO Standards ISO 27005: 2011 (Information security risk management)
Designed to assist the satisfactory implementation of information security based on a risk management approach
Applicable to all types of organizations Specialized standard that provides the best practices for managing the
risks related to information security
ISO 31000:2009 (Risk management — Principles and guidelines) Framework for Enterprise Risk Management Can be used for any type of risks including information security, business
continuity, market, currency, credit, operational, and others Does not provide specific methodology
RISK MANAGEMENT STANDARDS & FRAMEWORKS
COSO ERM Framework Defines essential enterprise risk management components Discusses key ERM principles and concepts Suggests a common ERM language Provides clear direction and guidance for enterprise risk management 4 objective categories, 8 components & entity units
COBIT (Risk IT) Risk IT complements and extends COBIT and Val IT to make a more
complete IT governance guidance resource It covers all IT-related risks not just information security Integrates the management of IT-related business risks into overall
enterprise risk management Links with enterprise-wide risk management concepts and approaches,
such as COSO ERM, ISO 31000 etc.
RISK MANAGEMENT STANDARDS & FRAMEWORKS
CONCLUSION Standards and frameworks tend to be conceptual Little guidance on practical implementation More similarities than differences among standards Majority of the standards are generic, applicable to all
industries & sectors Elements in each of the standards may be useful or adaptable
for specific organizations It is the ‘key pillars’ that matter for successful risk management
Q & A
Thank You