Академический Документы
Профессиональный Документы
Культура Документы
Cyber security
Management
.
=
Risk assessment & management + Business
Continuity planning
What is Risk??
Two Parts:
1. Probability of Event Occurring
2. Consequences of Event Occurring (including level of severity)
Requirements
Development
Problem/need
definition
Functional
Analysis &
Allocation
Design
Verification
&
Validation
Delivery
Risk Types
Three Most Recognized Types of Risk in Government and Commercial
Practice
1. Technical
2. Cost
3. Schedule
Risk Types
1. Technical
The degree to which technology is sufficiently mature and
has been demonstrated as capable of satisfying program
objectives.
Technical risk is frequently the driver in development phase
of a program.
Risk Types
2. Cost
Availability and sufficiency of funding for the program.
Government appropriations and funding cycles are also subject
to political risks.
Commercial programs are subject to market risks.
Risk Types
3. Schedule
Adequacy of time allocated for the defined tasks.
Includes effects of changes due to unpredictable events such as:
program and technical decisions,
time-to-market pressure,
labor problems,
weather and customer directed changes.
Risk Types
Others
Adequate staffing, resources
Professional/Enterprise reputation
External
Political
Social
Regulatory/legislative
Asset Definition
First step in the risk analysis process , asset that is going to have the risk
analysis performed upon it.
establish the boundaries of what is to be reviewed, if not risk analysis will fail
Gather relevant information about the asset or process under review,
The risk management team can use a number of techniques these include
questionnaires, on-site interviews, documentation review.
(1)Threat Identification
floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and
other such events.
Human threats: events that are either enabled by or caused by human beings
(error, fraud, malicious software use, unauthorized access).
Environmental threats: long-term power outages, pollution, chemical spills, or
liquid leakage.
Historical data
Risk Mitigation
A systematic methodology used by senior management to
reduce organizational risk.
Risk assumption : after completing the risk analysis process, management decides to
accept the risk/not.
recommended by the risk management team that will lower the risk to an acceptable level.
Risk avoidance:
RA & mgmt team chooses to avoid the risks by eliminating the process
that could cause the risks
Risk limitation:
Risk planning:
implements, and
maintains controls.
Risk transference: management transfers the risk using other options to compensate
for a loss such as purchasing an insurance policy
Responsibilities:
The policy states who does what in relation to applying the policy
throughout the organization, but while creating policy we stay away
from naming individuals and stick to talking about positions Senior
Management, Information Security, etc.
Compliance
How best CBP applicable, what if if CBP not handle breaches
3. Information Meeting
The information meeting should tell managers in detail what is going to happen, what
is required, what will be done with the information gathered and what the managers need to
do.
4. Information Gathering
The success of the BIA depends on gathering accurate information about the business
processes in the organization.
Organization and people:
Locations and numbers
Constraints:
5. Questionnaire Design
The use of a questionnaire is critical because it ensures that everyone participating will be
answering the same set of questions about their business.
Questionnaire covers following:
1.complete information about themselves,
2.the department in which they work,
3.the business function they are about to describe
Conducting Interviews.
Tabulating information.