1. The Importance of Risk Management Alan Calder CEO, Vigilant SoftwareThursday March 7th PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING. Q&A IS HANDLED THROUGH A COMBINATION OF WEBEX CHAT/TEXT AND VOICEThe definitive risk assessment tool for ISO27001 certificationCopyright Vigilant Software Ltd 2013

2. Alan Calder CEO and founder of Vigilant Software Acknowledged information security/risk managementthought leader Managed the worlds first successful ISO27001 (thenBS7799) implementation project in 1996 Frequent media commentator on risk managementissues Co-author of vsRisk the definitive cybersecurity riskassessment tool The definitive risk assessment tool for ISO27001 certification Copyright Vigilant Software Ltd 2013 3. Todays Webinar in Context Todays webinar is #2 in an educational series. The 4 webinars are designed to take you on a learningjourney: Webinar 1 - Why ISO 27001 for my Organisation? Webinar 2 (Today) The Importance of risk management. Webinar 3 Carrying out a risk assessment using vsRisk. Webinar 4 Maintaining/updating your risk assessment using vsRisk. Registration details of future webinars at the end.The definitive risk assessment tool for ISO27001 certificationCopyright Vigilant Software Ltd 2013 4. Todays Agenda A short 20-30 minutes educational and informative talk: Quick recap of last weeks webinar Why ISO 27001 for my Organisation? The importance of risk management. Ample time for Q&A. Next steps. The definitive risk assessment tool for ISO27001 certification Copyright Vigilant Software Ltd 2013 5. Recap last weeks webinarIn last weeks webinar we covered: What is information security? What is an information security management system (ISMS)? What is ISO 27001? Why should I and my organisation care about ISO 27001?The definitive risk assessment tool for ISO27001 certificationCopyright Vigilant Software Ltd 2013 6. Information Security Terms and PhrasesInformation security: preservation of confidentiality, integrity and availability ofinformation; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processesIntegrity: the property of safeguarding the accuracy and completeness of assets Availability: the property of being accessible and usable upon demand by an authorized entityAsset: anything that has value to the organizationThe definitive risk assessment tool for ISO27001 certification6Copyright Vigilant Software Ltd 2013 7. What is a Risk?A risk exists where there is an identifiable likelihood of anidentified threat exploiting an identified vulnerability inrelation to the confidentiality, availability or integrity of anasset, and where that compromise will have a quantifiableimpact on the organisation.Without likelihood and impact, there is no risk.The definitive risk assessment tool for ISO27001 certificationCopyright Vigilant Software Ltd 2013 8. What is a risk assessment? A risk assessment is the core competence ofinformation security management. ISO 27001 explicitly asks for: a risk assessment to be carried out before any controls are selected and implemented. every control to be justified by a risk assessment. Plan-do-check-act model. The definitive risk assessment tool for ISO27001 certification Copyright Vigilant Software Ltd 2013 9. Plan-Do-Check-Act The definitive risk assessment tool for ISO27001 certification Copyright Vigilant Software Ltd 2013 10. What is a risk assessment? The risk assessment must: Identify the threat/vulnerability combinations that have a likelihood of impacting the confidentiality, availability or integrity of each asset within a scope. This must be done from a business, compliance or contractual perspective. The definitive risk assessment tool for ISO27001 certification Copyright Vigilant Software Ltd 2013 11. Benefits of risk assessment? Spend on controls is balanced against business harm likely toresult from security failures. Existing over-expenditure can be re-allocated to areas ofweakness Information security management decisions are entirely madeby the outcomes from a risk assessment so they are objectiveThe definitive risk assessment tool for ISO27001 certificationCopyright Vigilant Software Ltd 2013 12. Assets ThreatsVulnerabilities AnalysisRisks Treatment Countermeasures/Safeguards Identification and implementationThe definitive risk assessment tool for ISO27001 certificationCopyright Vigilant Software Ltd 2013 13. Risk Management: Asset DocumentationProduce inventory of all assets: All physical computing resources (computers, servers, PDAs, etc.) Buildings Telephones, mobile phones Storage facilities Information assets: databases, documentation, blueprints PeopleMaintain Asset Register! Control Cat. A.7 is Asset Management: consider when preparing for risk assessment. The definitive risk assessment tool for ISO27001 certification Copyright Vigilant Software Ltd 2013 14. Risk Management: Asset Management Responsibility for assets. Information classification. Sensitivity guidelines. Sensitivity labelling. The definitive risk assessment tool for ISO27001 certification Copyright Vigilant Software Ltd 2013 15. Risk Assessment - ObjectiveTo inform a proper balance of safeguards against risk offailing to meet business objectives. For a given exposure, removal of safeguards will increase the risk of loss. Too many safeguards could make the security system too expensive/bureaucratic. Method by which expenditure on security and contingency can be justified. The definitive risk assessment tool for ISO27001 certification Copyright Vigilant Software Ltd 2013 16. Risk assessment Define approach. Comparable and reproducible. Develop criteria for acceptance of risk and identifyingacceptable level of risk. Risk Acceptance Criteria The definitive risk assessment tool for ISO27001 certification Copyright Vigilant Software Ltd 2013 17. Treatment of RiskAfter completing analysis of risk, you need to decide how tomanage it.Treatment of risk. Accept? (Criteria already developed). Eliminate the risk by work around or other arrangements. Control the risk to bring it to an acceptable level. Transfer it to a third party (e.g. via insurance).Then select controls.The definitive risk assessment tool for ISO27001 certificationCopyright Vigilant Software Ltd 2013 18. Safe and Secure - The Importance of RiskManagement An Information Security Management System (ISMS) willhelp your organisation to become ISO 27001 certified. This certification will tell your potential customers,employees and partners that your information systemsare safe and secure. The definitive risk assessment tool for ISO27001 certification Copyright Vigilant Software Ltd 2013 19. Safe and secure so what? Its not your word your information systems are safe and secure toa recognisable, externally audited, international standard. Tells existing and potential customers, employees and partners, aswell as regulators that you have defined and put in place effectiveinformation security processes, thus helping create a trustingrelationship. You are good to do business with!The definitive risk assessment tool for ISO27001 certificationCopyright Vigilant Software Ltd 2013 20. Summary Information Security risk analysis is a difficult taskinvolving experience and knowledge of the environmentbeing analysed. A number of risk analysis and management methodshave been proposed for both commercial andgovernment sectors: These methods are currentlyavailable either in the form of guidelines to be appliedmanually or as software packages. There are tools to help vsRisk demoed in next weekswebinar. The definitive risk assessment tool for ISO27001 certification Copyright Vigilant Software Ltd 2013 21. Next Steps Upcoming Educational Webinars Webinar 3 Carrying out a Risk Assessment usingvsRisk - Thursday March 14th, 4pm UK Time. Webinar 4 - Maintaining and Updating your RiskAssessment using vsRisk - Thursday March 21st, 4pmUK Time. Register for both/either athttp://www.vigilantsoftware.co.uk/webinars.aspx The definitive risk assessment tool for ISO27001 certification Copyright Vigilant Software Ltd 2013 22. Before the next webinarsRead a book Download a free trial of vsRiskRead the worlds first practical e-bookThe cyber security risk assessmentguidance on achieving ISO 27001tool compliant to ISO 27001 thatcertification and the nine automates and accelerates the riskessential steps to an effective ISMS management process.implementation. 15-day free trial atAvailable for 29.95 athttp://www.vigilantsoftware.co.ukhttp://www.vigilantsoftware.co.uk/product/1651.aspxThe definitive risk assessment tool for ISO27001 certificationCopyright Vigilant Software Ltd 2013 23. Next Steps Special March offer of riskassessment software vsRisk Purchases of vsRisk in March will include for free the informationsecurity risk management standard, ISO 27005 (worth 100) and acopy of the book Information Security Risk Management for ISO27001/ISO 27002 (worth 39.95). To claim this offer, please visit www.vigilantsoftware.co.uk. Offer valid until Thursday March 28th. The definitive risk assessment tool for ISO27001 certification Copyright Vigilant Software Ltd 2013 24. Next Steps Want to know more?If you would like to know more about ISO 27001, includinghow to carry out an ISO 27001-compliant risk assessment,please visit http://www.vigilantsoftware.co.uk or emailservicecentre@vigilantsoftware.co.uk. The definitive risk assessment tool for ISO27001 certification Copyright Vigilant Software Ltd 2013 25. Questions we welcome them all!Please type your questions into the Webex chat window responses will generally be verbal and shared with alldelegates. The definitive risk assessment tool for ISO27001 certification Copyright Vigilant Software Ltd 2013