Risk Management - Jisc Digital Festival 2015

Risk management workshop

» Information security manager

» Certified ISO 27005:2011 ISMS Risk Manager


09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 3



» Sharing some of my experiences of risk management

» How to think about what risk means to you

» Ideas on what makes for an effective process

» NOT: a prescriptive guide to risk management

What’s covered in this risk assessment

What is risk?



What is risk?


» “The effect of uncertainty on objectives”ISO Guide 73:2009

» Will it snow?

» How much effort should we spend planning for floods?


What is risk management?



» The tools that allow us to deal with the uncertainty inherent in our activities

» If we spend £10,000 now, we can halve the impact of one-in-ten-year floods


» We operate in an uncertain environment

» Analysing uncertainty allows us to spot opportunity and make failure less likely

Why risk management?


Group exercise 1:


» Is there one method for risk assessment? Does the type of risk affect the method?

» Compare two types of risk assessment you’ve encountered. Why were they different?


Group exercise 1:


» ISO 31000:2009 – Risk Management

» ISO 27005:2011 – Information Security Risk Management

» M_o_R Management of Risk

» COSO 2004 Enterprise Risk Management



“The effect of uncertainty on objectives”ISO Guide 73:2009

Is this definition useful?



» Risk is often expressed as a combination of the impact of an event, and the likelihood that the event will occur

Risk = Impact x Probability

Another definition



Impact

Trivial Minor Moderate Major Extreme

Pro

bab

ility

Rare Low Low Low Medium Medium

Unlikely Low Low Medium Medium High

Moderate Low Medium Medium Medium High

Likely Medium Medium Medium High High

Very Likely Medium Medium High High High

Risk Matrix



» Risk = Impact x Probability

» Does this accurately capture your organization's risk attitude?

» What else might be needed?

Group exercise 2.1


Group exercise 2.2



» Risk context – the internal and external parameters to be taken into account when managing risk

» What parameters might you want to take into account?

» Would you expect the output of your first risk assessment to closely match current working practices? If not, why?

Process



» Risk Assessments need to be robust, repeatable and reproducible – this normally requires a documented process

» Risks need ownership so that people take responsibility for them: track progress and monitor for changes and effectiveness of controls

Problems with process



» It’s easy to blindly follow a process or flow-chart even when you can see the train wreck ahead

» Any process that doesn’t take this into account will fail hard

Problems with process



» How to cope with failure?

» Stop. Check. Think. Revisit your assumptions


» What’s worked well in risk assessments you’ve been involved in?

» What went wrong?

» Did having a good process help?

Group exercise 3:


Group exercise 3:



» Risk assessment of the first service took much longer time than anticipated

» Subsequent risk assessments took less time than anticipated

» Risk were more closely related to activities (processing personal data, running a server…) than to the service

Communication



» Even a small risk assessment can provide a lot of output

Communication



» Present it in full like this?

Communication



» Present it visually?

Communication



» Summarize it in a high level report?

Communication



» Present it in PowerPoint!


» How would you provide results to the manager of a technical group?

» How would you provide results to the governing body?

» How would you share the results with a peer?

Group Exercise 4


Group Exercise 4



» In-depth technical results are shared with service managers

» Also made available to top management

» Top management receives a high level risk treatment plan, highlighting residual risks and areas of concern

Pod surgery



» Feel free to come along to my Pod surgery from 15:30 – 16:30

» Thank you!

Find out more…

Contact…

Except where otherwise noted, this work is licensed under CC-BY-NC-ND

James DavisInformation security manager, Jisc

[email protected]

Risk Management - Jisc Digital Festival 2015

Education

Transcript of Risk Management - Jisc Digital Festival 2015