Meeting the RDM challenge - exercise - Jisc Digital Festival 2014
Risk Management - Jisc Digital Festival 2015
Transcript of Risk Management - Jisc Digital Festival 2015
» Information security manager
» Certified ISO 27005:2011 ISMS Risk Manager
Risk management workshop
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 3
Risk management workshop
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 4
» Sharing some of my experiences of risk management
» How to think about what risk means to you
» Ideas on what makes for an effective process
» NOT: a prescriptive guide to risk management
What’s covered in this risk assessment
What is risk?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 5
Risk management workshop
What is risk?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 6
» “The effect of uncertainty on objectives”ISO Guide 73:2009
» Will it snow?
» How much effort should we spend planning for floods?
Risk management workshop
What is risk management?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 7
Risk management workshop
» The tools that allow us to deal with the uncertainty inherent in our activities
» If we spend £10,000 now, we can halve the impact of one-in-ten-year floods
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 8
» We operate in an uncertain environment
» Analysing uncertainty allows us to spot opportunity and make failure less likely
Why risk management?
Risk management workshop
Group exercise 1:
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 9
» Is there one method for risk assessment? Does the type of risk affect the method?
» Compare two types of risk assessment you’ve encountered. Why were they different?
Risk management workshop
Group exercise 1:
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 10
» ISO 31000:2009 – Risk Management
» ISO 27005:2011 – Information Security Risk Management
» M_o_R Management of Risk
» COSO 2004 Enterprise Risk Management
Risk management workshop
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 11
“The effect of uncertainty on objectives”ISO Guide 73:2009
Is this definition useful?
Risk management workshop
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 12
» Risk is often expressed as a combination of the impact of an event, and the likelihood that the event will occur
Risk = Impact x Probability
Another definition
Risk management workshop
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 13
Impact
Trivial Minor Moderate Major Extreme
Pro
bab
ility
Rare Low Low Low Medium Medium
Unlikely Low Low Medium Medium High
Moderate Low Medium Medium Medium High
Likely Medium Medium Medium High High
Very Likely Medium Medium High High High
Risk Matrix
Risk management workshop
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 14
» Risk = Impact x Probability
» Does this accurately capture your organization's risk attitude?
» What else might be needed?
Group exercise 2.1
Risk management workshop
Group exercise 2.2
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 15
Risk management workshop
» Risk context – the internal and external parameters to be taken into account when managing risk
» What parameters might you want to take into account?
» Would you expect the output of your first risk assessment to closely match current working practices? If not, why?
Process
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 16
Risk management workshop
» Risk Assessments need to be robust, repeatable and reproducible – this normally requires a documented process
» Risks need ownership so that people take responsibility for them: track progress and monitor for changes and effectiveness of controls
Problems with process
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 17
Risk management workshop
» It’s easy to blindly follow a process or flow-chart even when you can see the train wreck ahead
» Any process that doesn’t take this into account will fail hard
Problems with process
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 18
Risk management workshop
» How to cope with failure?
» Stop. Check. Think. Revisit your assumptions
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 19
» What’s worked well in risk assessments you’ve been involved in?
» What went wrong?
» Did having a good process help?
Group exercise 3:
Risk management workshop
Group exercise 3:
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 20
Risk management workshop
» Risk assessment of the first service took much longer time than anticipated
» Subsequent risk assessments took less time than anticipated
» Risk were more closely related to activities (processing personal data, running a server…) than to the service
Communication
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 21
Risk management workshop
» Even a small risk assessment can provide a lot of output
Communication
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 22
Risk management workshop
» Present it in full like this?
Communication
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 23
Risk management workshop
» Present it visually?
Communication
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 24
Risk management workshop
» Summarize it in a high level report?
Communication
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 25
Risk management workshop
» Present it in PowerPoint!
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 26
» How would you provide results to the manager of a technical group?
» How would you provide results to the governing body?
» How would you share the results with a peer?
Group Exercise 4
Risk management workshop
Group Exercise 4
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 27
Risk management workshop
» In-depth technical results are shared with service managers
» Also made available to top management
» Top management receives a high level risk treatment plan, highlighting residual risks and areas of concern
Pod surgery
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 28
Risk management workshop
» Feel free to come along to my Pod surgery from 15:30 – 16:30
» Thank you!
Find out more…
Contact…
Except where otherwise noted, this work is licensed under CC-BY-NC-ND
James DavisInformation security manager, Jisc