Security Risk Management, tough path to success

Presenter: Vi Minh ToaiDate: Sep 10, 2016

Security Bootcamp 2016 - Dong Thap

Xin cảm ơn các nhà tài trợ

Who am I?• 10+ years of working experience in IT industry.• IT Security Manager of RMIT Vietnam University.• Certificates: CISSP, CISM, CEH• Email: minhtoai@gmail.com

Something you should know:

• Silence your phone.• Raise questions at the end of the present. • WC.• Emergency exit.

Agenda• Several Vietnam Security Incidents in 2016• Security Risk Management

Several Vietnam Security Incidents in 2016• May 2016: TPBank• July 2016: Vietnam Airlines (Jul 29)• August 2016: Vietcombank (Aug 04, Aug 16, Aug 19)

Security incident – Vietnam Airlines

Vietnam Airlines

Security incident - Vietnam Airlines (cont.)• Possible Impact: • Flight safety.• Reputation lost. (TRUST)• Over 400,000 accounts of Vietnam Airlines’ members

were leaked.• Delays of flights: more than 100 flights: 64 from TSN, 30

from Noi Bai.• Current customer password must be changed.• Cost.• Time.

(Statistic extracts from VietnamNet, VNExpress, Vietnam Airlines website)

Security Incident - Vietcombank

Vietcombank

Security Incident- Vietcombank (cont.)• Possible Impact: • VND200 million ($8,929) had been stolen.• VCB stock went down (VND 4000 billion were gone).• Reputation lost. (TRUST)(Statistics extract from tuoitrenews, vietnamnet website)

Look up the RISKS -> Set up Controls -> Cover Actions -> Reduce the IMPACT

Security Risk ManagementRisk is:“The effect of uncertainty on the ability of an organisation to meet its

objectives.” (ISO 31000:2009)

Risk Management is:the process of identifying and assessing the risk, reducing it to an

acceptable level, and ensuring it remains at that level.

Security Risk Management (cont.)

Risk = Threats x Vulnerabilities x

3 components of CIA Triad

The relationships among the different security concepts

Important of Security Risk Managementa. Better oversight of organizational assets.b. Minimized loss.c. Identification of threats, vulnerabilities and risk.d. Prioritization of risk response efforts.e. Legal and regulatory compliance.f. Increased likelihood of project success.g. Better incident and business continuity management.

Several types of information security riska. Physical damageb. Human interactionc. Equipment malfunctiond. Inside and outside attackse. Misuse of dataf. Loss of datag. Application error

Risk Type

“Above the line”“Below the line”

Risk level matrix

Security Risk Management (cont.) - Controls

Control types:a.Administrativeb.Technicalc. Physical

Security Risk Management (cont.) - Controls

Controls Functionalities:a.Preventiveb.Detectivec. Correctived.Deterrente.Recoveryf. Compensating

Risk Management Process

Methodologies for Risk Assessment

a.Quantitative Risk Assessmentb.Qualitative Risk Assessmentc. Semi-quantitative Risk Assessment

Reference:d.NIST SP800-30e.FRAP (Facilitated Risk Analysis Process)f. OCTAVE (Operationally Critical Threat, Asset, and

Vulnerability Evaluation)g.ISO/IEC 31010

Risk Treatment

a.Avoid the riskb.Reduce the riskc. Transfer the riskd.Accept the risk

What is an effective risk management?

a.Senior management support.b.Suitable Risk Management Framework.c. Effective Risk Management Process.d.Communication.

References

CISSP All-in-One Exam Guide 7th Edition, Shon Harris – Fernando Maymi

ISACA CRISC Review Manual 2015 ISACA CISM Review Manual 2015 NIST SP800-30 Google Search

Questions and Answers

THANK YOU!!!HAVE A NICE WEEKEND