Group members

Name : Mohammad Musammar khan

Roll no: 16171519-034
Name : Ali
Roll no: 16171519-131
Name : Usman bhatti
Roll no: 17251519-019
 Today’s agenda
1. Risk management
2. identification
3. Control
4. How risk is identified and assessed
 What is Information Security Risk
Management?

Information Security Risk Management, or ISRM, is

the process of managing risks affiliated with the use
of information technology.

In other words, organizations need to:

1. Identify Security risks, including types of
computer security risks.
2. Develop a cyber security incident response plan.
 Risk Management

• organizations identify and evaluate risks to the

confidentiality, integrity and availability of their
information assets. This process can be broadly
divided into two components:
• Risk assessment — The process of combining the
information you have gathered about assets and
controls to define a risk
• Risk treatment — The actions taken to
remediate, mitigate, avoid, accept, transfer or
otherwise manage the risks
6 Stages of Information Security Risk
managemnet
 Identify – Data Risk Analysis

• 1. Identify – Data Risk Analysis

• This stage is the process of identifying your digital assets that
may include a wide variety of information:
• Company-confidential information such as product
development and trade secrets
• Personnel data that could expose employees to cyber security
risks such as identity theft regulations
 Identify – Data Risk Analysis

• During this stage, you will evaluate not only the risk potential
for data loss or theft but also prioritize the steps to be taken to
minimize or avoid the risk associated with each type of data.
• The result of the Identify stage is to understand your top
information security risks and to evaluate. The analysis in this
stage reveals such data security issues as:
Potential threats – physical, environmental, technical, and
personnel-related
• Data assets that should or must be protected and controlled
• This includes categorizing data for security risk management
by the level of confidentiality, compliance regulations,
financial risk, and acceptable level of risk.
 Protection – Asset Management

2. Protection – Asset Management

This includes a variety of processes, from implementing security
policies to installing sophisticated software
• Security awareness training of employees in the proper
handling of confidential information.
• Implement access controls so that only those who genuinely
need information have access.
• Define security controls required to minimize exposure from
security incidents.
 Implementation
3. Implementation
These controls will encompass a variety of approaches
to data management risks:
• Review of identified security threats and existing
controls
• Creation of new controls for threat detection and
containment
• Select network security tools for analysis of actual and
attempted threats
• Install and implement technology for alerts and
capturing unauthorized access
 Security Control Assessment
4. Security Control Assessment :
• the main components of Risk Assessment are:
• Threats
• Vulnerability
• accidentally
• Likelihood of occurrence (i.e. the probability
that an event – threat successful exploit of a
vulnerability – will occur)
 Information Security System
Authorizations
5. Information Security System Authorizations
• Authorization is a security mechanism used to determine
user/client privileges or access levels related to system
resources, including computer programs, files, services,
data and application features. Authorization is normally
preceded by authentication for user identity verification.
• Authorization is the process of giving someone
permission to do or have something. In multi-user
computer systems, a system administrator defines for the
system which users are allowed access to the system and
what privileges of use.
 Risk Monitoring

• Risk monitoring and control are two elements that are

responsible for keeping track of identified risks,
residual risks, and new and emerging risks.
• In addition to this, they are also used to monitor the
execution and implementation of plans for all of the
known risks, and they also gauge the efficacy of the
plans that are in place.
• Continuous monitoring and analysis are critical. Cyber
thieves develop new methods of attacking your
network and data warehouses daily. To keep pace with
this onslaught of activity, you must revisit your
reporting, alerts, and metrics regularly.
Create an Effective Security and Risk
Management Program
 Create an Effective Security and Risk
Management Program
• Defeating cybercriminals and halting internal threats is a
challenging process. Bringing data integrity and availability
to your enterprise risk management is essential to your
employees, customers, and shareholders.
In summary, best practices include:
• Implement technology solutions to detect and eradicate
threats before data is compromised.
• Establish a security office with accountability.
• Ensure compliance with security policies.
• Make data analysis a collaborative effort between IT and
business stakeholders.
• Ensure alerts and reporting are meaningful and effectively
routed.