Vi Minh Toại - Security Risk Management, tough path to success
-
Upload
security-bootcamp -
Category
Technology
-
view
491 -
download
2
Transcript of Vi Minh Toại - Security Risk Management, tough path to success
Security Risk Management, tough path to success
Presenter: Vi Minh ToaiDate: Sep 10, 2016
Security Bootcamp 2016 - Dong Thap
Xin cảm ơn các nhà tài trợ
Who am I?• 10+ years of working experience in IT industry.• IT Security Manager of RMIT Vietnam University.• Certificates: CISSP, CISM, CEH• Email: [email protected]
Something you should know:
• Silence your phone.• Raise questions at the end of the present. • WC.• Emergency exit.
Agenda• Several Vietnam Security Incidents in 2016• Security Risk Management
Several Vietnam Security Incidents in 2016• May 2016: TPBank• July 2016: Vietnam Airlines (Jul 29)• August 2016: Vietcombank (Aug 04, Aug 16, Aug 19)
Security incident – Vietnam Airlines
Vietnam Airlines
Security incident - Vietnam Airlines (cont.)• Possible Impact: • Flight safety.• Reputation lost. (TRUST)• Over 400,000 accounts of Vietnam Airlines’ members
were leaked.• Delays of flights: more than 100 flights: 64 from TSN, 30
from Noi Bai.• Current customer password must be changed.• Cost.• Time.
(Statistic extracts from VietnamNet, VNExpress, Vietnam Airlines website)
Security Incident - Vietcombank
Vietcombank
Security Incident- Vietcombank (cont.)• Possible Impact: • VND200 million ($8,929) had been stolen.• VCB stock went down (VND 4000 billion were gone).• Reputation lost. (TRUST)(Statistics extract from tuoitrenews, vietnamnet website)
Look up the RISKS -> Set up Controls -> Cover Actions -> Reduce the IMPACT
Security Risk ManagementRisk is:“The effect of uncertainty on the ability of an organisation to meet its
objectives.” (ISO 31000:2009)
Risk Management is:the process of identifying and assessing the risk, reducing it to an
acceptable level, and ensuring it remains at that level.
Security Risk Management (cont.)
Risk = Threats x Vulnerabilities x
3 components of CIA Triad
The relationships among the different security concepts
Important of Security Risk Managementa. Better oversight of organizational assets.b. Minimized loss.c. Identification of threats, vulnerabilities and risk.d. Prioritization of risk response efforts.e. Legal and regulatory compliance.f. Increased likelihood of project success.g. Better incident and business continuity management.
Several types of information security riska. Physical damageb. Human interactionc. Equipment malfunctiond. Inside and outside attackse. Misuse of dataf. Loss of datag. Application error
Risk Type
“Above the line”“Below the line”
Risk level matrix
Security Risk Management (cont.) - Controls
Control types:a.Administrativeb.Technicalc. Physical
Security Risk Management (cont.) - Controls
Controls Functionalities:a.Preventiveb.Detectivec. Correctived.Deterrente.Recoveryf. Compensating
Risk Management Process
Methodologies for Risk Assessment
a.Quantitative Risk Assessmentb.Qualitative Risk Assessmentc. Semi-quantitative Risk Assessment
Reference:d.NIST SP800-30e.FRAP (Facilitated Risk Analysis Process)f. OCTAVE (Operationally Critical Threat, Asset, and
Vulnerability Evaluation)g.ISO/IEC 31010
Risk Treatment
a.Avoid the riskb.Reduce the riskc. Transfer the riskd.Accept the risk
What is an effective risk management?
a.Senior management support.b.Suitable Risk Management Framework.c. Effective Risk Management Process.d.Communication.
References
CISSP All-in-One Exam Guide 7th Edition, Shon Harris – Fernando Maymi
ISACA CRISC Review Manual 2015 ISACA CISM Review Manual 2015 NIST SP800-30 Google Search
Questions and Answers
THANK YOU!!!HAVE A NICE WEEKEND