KEMBAR78
Slide 10 | PDF | Risk | Risk Management
Scribd
Upload
8 views16 pages

Slide 10

The document outlines the importance of risk management in network security, detailing its concepts, benefits, and key roles involved in the process. It describes various phases of risk management, including identification, assessment, and treatment, as well as frameworks like the Enterprise Risk Management Framework and NIST Risk Management Framework. The document emphasizes the need for a structured approach to effectively manage risks and ensure organizational security.

Uploaded by

Abhinandan Wadhwa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
8 views16 pages

Slide 10

The document outlines the importance of risk management in network security, detailing its concepts, benefits, and key roles involved in the process. It describes various phases of risk management, including identification, assessment, and treatment, as well as frameworks like the Enterprise Risk Management Framework and NIST Risk Management Framework. The document emphasizes the need for a structured approach to effectively manage risks and ensure organizational security.

Uploaded by

Abhinandan Wadhwa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 16

Risk Anticipation with

Risk Management
Contents:

• Understand risk management concepts


• Learn to manage risk through a risk management program
• Learn different risk management frameworks (RMFs)
Understand risk management concepts
• “ Risk and vulnerability management is a pro-active approach to manage
network security ”
• Risk management is the process of reducing and maintaining risk at an
acceptable level by means of a well-defined and actively employed security
program
• It involves identifying, assessing, and responding to the risks by implementing
controls to the help the organization manage the potential effects
• Risk management has a prominent place throughout the system security life-
cycle
Risk Management
Risk Management Benefits:
• Focuses on potential risk impact areas
• Addresses risks according to the risk level
• Improves the risk handling process
• Allows the security officers to act effectively in adverse situations
• Enables effective use of risk handling resources
• Minimizes the effect of risk on the organization’s revenue
• Identifies suitable controls for security
Key Roles and Responsibilities in Risk Management
• Senior Management: The support and involvement of senior management is
required for effective risk management
• Chief Information Officer (CIO): Responsible for IT planning, budgeting, and
performance based on a risk management program
• System and Information Owners: Responsible for the appropriate security control
use to maintain confidentiality, integrity, and availability for an information system
• Business and Functional Managers: Responsible for making trade-off decisions in
the risk management process
• IT Security Program Managers and Computer Security Officers (ISSO): Responsible
for an organization’s information security programs
• IT Security Practitioners: Responsible for implementing security controls
• Security Awareness Trainers: Responsible for developing and providing appropriate
training in the risk management process
Key Risk Indicators (KRI)
• A key risk indicator (KRI) is an important component of an effective risk
management process that shows the riskiness of an activity
• Understanding the organizational goals is required to identify KRI
• A KRI is a metric showing the risk appetite probability for an organization
Manage risk through risk management program
Risk Management Phase: Risk Identification
• Identifying the sources, causes, and consequences of the internal and external
risks affecting the security of the organization

• The risk assessment phase assesses the organization’s risk and provides an
estimate on the likelihood and impact of the risk
• The risk assessment is an on-going iterative process assigning priorities to risk
mitigation and implementation plans It determines the quantitative and
qualitative value of risk
Risk Management Phase: Risk Assessment
Risk Analysis:
• Defines the nature of the risk
• Determines the level of risk exposure
• Provides an understanding of inherent and controlled risk

Risk Prioritization:
• Risks are prioritized and treated according to the severity
• While performing the risk response step, consider the risk prioritization

Risk Levels: The impact level of a risk depends on the value of assets and resources it affects,
and the severity of the damage.
Risk Management Phase: Risk Assessment
Risk Matrix: A risk matrix is used to scale risk by considering the probability, likelihood, and
consequence/impact of the risk

Risk Treatment:
• Risk treatment is a process of selecting and implementing appropriate controls on the
identified risks
• Risks are addressed and treated based on its severity level
• Decisions made in this phase are based on the results of a risk assessment
Risk Treatment Process
Learn different risk management frameworks
Enterprise Network Risk Management
Enterprise network risk management integrates mitigation techniques
in a systematic approach to obtain the goals and objectives for
satisfying business requirements.
Enterprise Risk Management Framework (ERM)

• Activities: The RMF defines the implementation activities specific to how


an organization handles risk
• Structured Process: The ERM provides a structured process integrating
information security and risk management activities
• Actions: ERM frameworks identify, analyze, and perform the following
actions:
• Risk avoidance by aborting the actions that lead to risk
• Risk reduction by minimizing the likelihood or impact of risk
• Provides risk management process standards
Goals of the ERM Framework
• Integrates the ERM with the organization’s performance management
• Communicates the benefits of risk management
• Defines the roles and responsibilities in the organization to manage the
risk
• Standardizes the risk reporting and escalating process
• Sets a standard approach to manage risks in the organization
• Assists the resources in managing the risks
• Sets the scope and application of risk management in the organization
• Mandates periodic review and verification for improvements of the
ERM
NIST Risk Management FrameworK
NIST RMF is a structured and continuous process that integrates information security
and risk management activities into the system development life cycle
• Prepare: Essential activities to prepare the organization to manage security and
privacy risks
• Categorize: Categorize the system and information processed, stored, and
transmitted based on an impact analysis
• Select: Select the set of NIST SP 800-53 controls to protect the system based on risk
assessment(s)
• Implement: Implement the controls and document how controls are deployed
• Assess: Assess to verify if the controls are in place, operating as planned, and
producing the anticipated results
• Assess
• Authorize: Senior official makes a risk-based decision to authorize the system (to
operate)
• Monitor:Continuously monitor control implementation and risks to the system
NIST Risk Management FrameworK
Thankyou

You might also like