Scribd
Upload
119 views9 pages

0 - Introduction To Cybersecurity Risk Management

This document discusses managing cybersecurity risk through effective risk governance and management. It defines key terms like risk, risk management, and governance. Risk management supports governance by identifying risks and reducing them to acceptable levels. Effective IT risk management and governance helps ensure that IT systems create value for the organization, resources are optimized, and compliance requirements are met. A risk in one area poses a threat to the entire enterprise, so accurate information sharing and a top-down, bottom-up approach to governance and risk management are important.

Uploaded by

mar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
119 views9 pages

0 - Introduction To Cybersecurity Risk Management

This document discusses managing cybersecurity risk through effective risk governance and management. It defines key terms like risk, risk management, and governance. Risk management supports governance by identifying risks and reducing them to acceptable levels. Effective IT risk management and governance helps ensure that IT systems create value for the organization, resources are optimized, and compliance requirements are met. A risk in one area poses a threat to the entire enterprise, so accurate information sharing and a top-down, bottom-up approach to governance and risk management are important.

Uploaded by

mar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

IT 727-A & OL – Managing Cybersecurity Risk

IT 727-A & OL – Managing


Cybersecurity & Cybersecurity Risk

Risk Management

Dr. Ibrahim Waziri Jr.

1
IT 727-A & OL – Managing Cybersecurity Risk

Security
Security: State of being secure and free from danger or harm; the actions taken to
make someone or something secure.

Information Security: The protection of information and its


critical elements.
• Standard based on CIA triad - Inadequate!!!

Organizational Security Focus: Design and create safe


environments in which business processes and procedures can
function.

“create safe” = security = Risk Management

2
IT 727-A & OL – Managing Cybersecurity Risk

Risk Management & Governance


Risk: Probability of an event and its consequences - Often seen as an adverse event, that
negatively impacts assets by exploiting vulnerabilities.

Risk management: The process of identifying risk, assessing its relative magnitude, and taking
steps to reduce it to an acceptable level.

Governance: Accountability for the protection of organization assets. (Board of Directors, Senior
Management etc.) of adding VALUE to

Governance Principle: Alignment of functions to business strategy, goals, mission and objectives -
Applicable to all departments of the organization.
• Are we doing the right things?
• Are we doing them the right way?
• Are we getting them done well?
• Are we getting the benefits?
“benefits” = added value = Governance

Management vs Governance:
• Management focus on planning, building, running & monitoring activities.
• Governance create VALUE by achieving objectives.

Risk management supports Governance!!! 3


IT 727-A & OL – Managing Cybersecurity Risk

Risk Governance

Risk Governance – Ensures risk management and practices are embedded in the organization
governance.

Risk Governance Objectives:


• Establish and maintain a common view of risk
• Integrate risk management into the enterprise
• Make risk-aware business decisions
• Ensure that risk management controls are implemented and operating correctly

--
• A risk in one area is a threat to all other areas of the enterprise
• Governance & Risk Management requires accurate information
• Information is stored on technology.

IT Governance & Risk Management

4
IT 727-A & OL – Managing Cybersecurity Risk

IT Risk Management & Governance

IT Risk Management: Evaluation, Direction & Control of Information Technology

IT Governance:
• Value Creation - Ensure that IT creates value for the organization
• Resource optimization.
• Benefits and objectives realization
• Business Continuity etc.

Compliance:
• Senior Management - Accountable – Set rules & policies (You can’t delegate)
• Everyone - Responsible – You delegate responsibilities – Make happen

GRC = Governance Risk and Compliance!

5
IT 727-A & OL – Managing Cybersecurity Risk

Introduction – Roles
Board, Stakeholders
etc.

Senior Management
(Enterprise Policy)

Committee - (Audit,
Change Mgt etc.)

Mid Management
(Security Functions Policy)

Procedures
Guidelines
Standards

Baselines

Top Down Bottom Up


Approach Approach

6
IT 727-A & OL – Managing Cybersecurity Risk

Frameworks, Regulations, Standards, Guidelines etc.

CSA SOX
FEDRAMP
FFIEC GDPR
COBIT
ISACA
SCF PIPEDA
GLBA
FISMA ASD
COSO
NIST RMF
ISO 31000 OCTAVE CIS
(NIST 800 Series)

ISO 27000 DISA STIGS


HIPAA
PCI-DSS
IT 727-A & OL – Managing Cybersecurity Risk

What is the purpose of Cybersecurity & Risk Management?

VALUE
8
IT 727-A & OL – Managing Cybersecurity Risk

Risk Management Life Cycle

IT Risk
Identification

IT Risk & Control


IT Risk
Monitoring and
Assessment
Reporting

IT Risk Response
and Mitigation

You might also like