Risk Management

July 2024
 Contents
01 Introduction to course

02 Introduction to risk

03 Risk Occurrence/ Likelihood

04 Risk Impact

05 Relationship between vulnerability, threat and risk

06 Risk Management Lifecycle

07 Risk Criteria

08 Risk Identification

09 Risk Analysis

10 Risk Evaluation

11 Risk Treatment

12 Quiz
Page 2
 Introduction to Course

Welcome to the Cybersecurity Risk Management course. Cyber threat has emerged as one of the major threats faced by businesses. The number of
cyber-attacks is increasing along with the cost of mitigation. The goal of Cybersecurity risk management is an ongoing process of identifying, analyzing,
evaluating, and addressing your organization's cybersecurity threats. After successful completion of the course, students will be able to:
• Explain various cybersecurity risk management frameworks and methodologies
• Identify and model cybersecurity risks using various qualitative and quantitative methods

Introduction to
Cybersecurity I II III IV
Risk Management
Introduction to Business
Cybersecurity Risk Risk Management Continuity and
Management Risk Assessment Planning Disaster Recovery
We begin by Gain insights into the Define the objectives and Understand the essential
Risk Assessment
understanding the structured process of risk scope of risk management components and rationale
foundational elements of assessment and its pivotal planning, ensuring behind developing robust
cybersecurity risk, role in establishing alignment with Business Continuity Plans
including threats, effective cybersecurity organizational goals and (BCP) and Disaster
vulnerabilities, and their strategies. regulatory requirements. Recovery Plans (DRP) to
Risk Management potential impact on Establish clear ensure organizational
• Types of Risk
Planning organizational operations responsibilities and resilience.
Assessments
and assets. reporting structures to
• Business Impact
• Evaluation of Threats facilitate transparency and
• Risk Management Analysis
and Countermeasures accountability in risk
Lifecycle management efforts. • Elements of BCP and
Business • Techniques for Risk DRP
• Legal Compliance
Continuity and Management • Best Practices
Disaster Recovery • Risk Prioritization

Page 3 Confidential
 Introduction to Course

Welcome to the Cybersecurity Risk Management course. Here, we focus on protecting organizational assets from
cyber threats. You'll gain the knowledge and skills needed to manage risks, maintain business continuity, and
strengthen resilience against changing cybersecurity challenges.

Risk Management
frameworks
V VI VII VIII
Risk Management Cyber Risk & Data Privacy &
Data Governance
frameworks Resilience Security

Cyber Risk & Dive into prominent Differentiate between Examine the critical role of Explore the intersection
Resilience cybersecurity frameworks cyber risk management Data Governance in and differentiation
such as the NIST and cyber resilience, managing and protecting between Risk
Cybersecurity Framework emphasizing the sensitive information, Management, Data
and regulatory guidelines importance of building ensuring data integrity, Privacy, and Data Security,
like the SEC Cybersecurity adaptive strategies to availability, and highlighting how these
Rule, understanding their withstand and recover confidentiality. domains collaborate to
Data Governance roles in guiding effective from cyber incidents. mitigate risks and
• Importance and
cybersecurity practices. safeguard organizational
• Impact of Emerging benefits
data assets.
• Risk management Technologies
• Challenges faced
standards and • Benefits and
• Resilient Decision-
frameworks. • Relationship with risk challenges faced
Making
Data Privacy & management
• Compliance and Best • Differentiation from
Security Practices • DAMA risk management
• ISO 8000 • India’s DPDP Act

Page 4 Confidential
 Introduction to Risk

What is Risk?

Any event that can impact the achievement of a “Business Objective” can be termed as “Risk”.
Empirically, it can be calculated as the product of risk likelihood and risk impact i.e.
Risk = Likelihood x Impact

What is Business Objective?

An objective is a specific measurable result expected

within a particular time period, consistent with a goal
and strategy. For example- Regulatory Compliance, Cost Reduction, Sales, Talent Development, etc.

Page 5 Confidential
 Risk Occurrence/ Likelihood

 Risk is the likelihood that

a
loss will occur.  A threat is any circumstance or event with the
potential to cause a loss.
 Losses occur when a Threat  Threat can also be interpreted as any activity
that represents a possible danger.
threat exposes a
 Threats are always present and cannot be
vulnerability. eliminated, but they may be controlled

 Organizations of all sizes

face risks.  A vulnerability is a weakness. It could be a
procedural, technical, or administrative
 Some risks are so severe  weakness. It could be a weakness in physical
they cause a business to Vulnerabili security, technical security, or operational
fail.  security. Just as all threats don’t result in a loss,
ty all vulnerabilities don’t result in a loss.
 Other risks are minor and  It’s only when an attacker is able to exploit the
can be accepted without vulnerability that a loss to an asset occurs
another thought

Page 6 Confidential
 Risk Impact

The “Impact” of risk on a business primarily depends on how much the

confidentiality, integrity,
and availability of assets are compromised.

Preventing unauthorized disclosure of information.

Confidential Data should be available only to authorized users. Loss
1 ity of confidentiality occurs when data is accessed by
someone who should not have access to it.

Confidentiality Ensuring data and services are available when

2 Availability needed. IT systems are commonly protected using
fault tolerance and redundancy techniques.

Information
Security
2 3
Ensuring data or an IT system is not modified or
3 Integrity destroyed. If data is modified or destroyed, it loses its
Availability Integrity value to the company.

Page 7 Confidential
 Seven Domains of a Typical IT Infrastructure

LAN LAN-to-WAN
Domain Domain

WAN
Domain

Workstatio
n Domain

Firewall

User
Domain
Remote Access Domain

Main-frame Application and

Web Servers
User

System Domain
Application

Page 8 Confidential
 Relationship between vulnerability, threat and risk

Below, we will understand the relationship between vulnerability, threat and risk through an example.

A weakness in the system which can be exploited is vulnerability.

Vulnerability
1 For e.g. Company has outdated firewall

Attack Vulnerability
Any agent/act that can exploit a vulnerability is threat.
2 Threat
For e.g. An external agent tries to get unauthorized access.

Potential for loss if a threat exploits a vulnerability is called risk.

3 Risk For e.g. If external agent exploits this vulnerability, they could
access sensitive data.
Risk Threat
Actual attempt to exploit the vulnerability is called an attack.
Attack For e.g. The external agent gains access to data leading to data
4 leakage.

Page 9 Confidential
 Risk Management Lifecycle

Risk management is the practice of identifying, assessing, controlling, and mitigating risks. Threats and
Risk vulnerabilities are key drivers of risk. Identifying the threats and vulnerabilities that are relevant to the
Management organization is an important step. Organisations can then take action to reduce potential losses from these
risks.

Risk Management Lifecycle

Risk Risk Risk

Risk Criteria Risk Analysis
Identification Evaluation Treatment

• Conduct workshops and • Assess risks by evaluating their • Compare assessed risks • Develop and implement risk
• Define clear risk tolerance likelihood of occurrence and response plans tailored to
levels to guide decision- interviews with stakeholders against predefined risk
potential impact on objectives. address identified risks
making on acceptable risk to brainstorm and document criteria to determine their effectively.
potential risks. • Use qualitative and significance.
exposure. quantitative techniques such • Monitor risk treatment
as risk matrices or scenario activities to ensure timely
• Establish thresholds for risk • Utilize historical data, analysis to prioritize risks. • Consider additional factors execution and effectiveness in
severity and impact to checklists, and expert like risk interdependencies reducing risk exposure.
trigger appropriate judgment to ensure and cumulative effects
responses. comprehensive risk coverage. during evaluation.

Page 10 Confidential
 Defining the Risk Criteria

1 Define risk tolerance & appetite

Steps 2 Select risk dimensions & specify measurement scales

3 Document & communicate criteria

Define Select risk dimensions & Document &

risk tolerance & appetite specify measurement communicate criteria
scales
Document the defined risk criteria
Determine the organization's risk Choose the dimensions or factors
in a formal policy, guideline, or risk
tolerance level, indicating the that will be used to assess and
management plan.
acceptable level of risk exposure. categorize risks (e.g., likelihood,
impact). Communicate the criteria across
Establish risk appetite, specifying the
Define clear measurement scales the organization to ensure
desired level of risk taking aligned
or thresholds for each risk understanding and alignment.
with strategic objectives.
dimension (e.g., high, medium,
low; 1-5 scale).

Page 11 Confidential
 Risk Identification

1 Identify Threats

Steps 2 Identify Vulnerabilities

3 Pairing Threats with Vulnerabilities

Identify
Identify Threat Pairing Threats with
Vulnerabilities
Vulnerabilities
“Threat identification” is the process Potential vulnerabilities can be Threats are matched to existing
of creating a list of threats. The list determined through Audits, vulnerabilities to determine the
attempts to identify all the possible certification records, system logs, likelihood of a risk.
threats to an organization. The list can prior events, Incident response  Risk = Threat x Vulnerability
be extensive. teams  Total Risk = Threat x
Vulnerability x Asset Value

Page 12 Confidential
 Assessing Identified Risks

11 Assess likelihood & determine impact

Steps 22 Evaluate Risk Levels & consider risk interdependencies

33 Document findings & review

Evaluate Risk Levels Document findings &

Assess likelihood &
& consider Risk review
determine impact
Interdependencies
Evaluate the probability of each Document the results of risk
identified risk occurring based on Combine the assessed likelihood
analysis, including identified risks,
historical data, expert judgment, and and impact to determine the overall
their assessed likelihood, impact,
analytical methods. risk level using a risk matrix or
and overall risk levels.
similar tool.
Analyze the potential consequences Evaluate how risks may interact or Adjust risk assessments and
or impact of each risk on project compound each other, considering priorities as needed to maintain
objectives, resources, stakeholders, their combined effect on project or alignment with project objectives
and operations. organizational goals. and organizational strategy.

Page 13 Confidential
 Risk Evaluation

11 Compare against risk criteria

Steps 22 Prioritize risks & consider risk context

3
3 Document risk assessment results

Compare against risk Prioritize risks & Document risk

criteria consider risk context assessment results
Refer to established risk criteria (e.g., Rank risks based on their assessed Document the outcomes of risk
risk tolerance, appetite, measurement levels of likelihood and impact to evaluation, including the prioritized
scales) to assess each identified risk. prioritize them for further attention list of risks, their assessed levels,
and response. and supporting rationale.
Determine whether each risk meets
Assess how each risk aligns with Ensure clarity in how risks are
the predefined thresholds for
organizational goals and its categorized and communicated.
likelihood, impact, or other relevant
potential to affect project outcomes
dimensions.
or business performance.

Page 14 Confidential
 Risk Treatment

Mitigation aims to reduce the probability or impact of a risk to an acceptable level through proactive measures.
Strategies may include implementing controls, improving processes, enhancing training, or upgrading technology.
1 Mitigation It focuses on addressing the root causes or vulnerabilities that contribute to the risk's occurrence or severity.
Effective mitigation efforts can strengthen resilience and improve the organization's ability to respond to adverse events.

Acceptance involves acknowledging the existence of a risk but deciding not to take action to avoid or mitigate it.
It is suitable when the cost of mitigation outweighs the potential impact of the risk or when the risk falls within acceptable thresholds.
2 Acceptance Organizations may accept risks strategically if they align with their risk appetite and overall business objectives.
Acceptance does not mean ignoring the risk; it involves monitoring and preparing to respond if the risk materializes.

Avoidance seeks to eliminate the risk entirely by altering plans, processes, or activities to circumvent the risk source.
It often involves strategic decisions to not pursue certain activities or ventures that carry high inherent risks.
3 Avoidance By avoiding the risk, organizations can potentially save resources and prevent disruptions to their operations or objectives.
C

Transfer shifts the financial or operational consequences of a risk to another party, typically through contracts, insurance, or outsourcing.
It allows organizations to leverage external expertise or resources to manage risks more effectively.
4 Transfer Insurance policies and indemnification clauses in contracts are common examples of risk transfer mechanisms.
While transferring risk can reduce exposure, organizations must carefully evaluate the terms and costs associated with transferring risks

Page 15 Confidential
Quiz

A vulnerability in a system refers to:

1
A) The likelihood of a threat exploiting a weakness
fdsf Asset Identification B) The potential harm or loss resulting from a risk event
C) The presence of controls that mitigate risks
D) The inherent characteristics of a risk event

What is the purpose of assessing the impact of risks?

A) To determine the likelihood of risks occurring
2
Threat
Identification
B) To quantify the financial cost of risks
C) To understand the potential consequences of risks
D) To transfer risks to insurance companies

Which of the following is an example of an internal source for identifying risks?

3
A) Industry reports and benchmarks
Vulnerability B) Stakeholder interviews and brainstorming sessions
Assessment C) Competitor analysis and market trends
D) Customer feedback and surveys

Risk mitigation involves:

4
A) Eliminating all identified risks completely
Likelihood B) Reducing the probability or impact of risks to an acceptable level
Determination C) Accepting all identified risks without any response
D) Transferring all risks to insurance companies

Which risk management technique involves transferring the risk to a third party?
A) Avoidance
Answers:
fdsf 5
Impact Analysis B) Mitigation
C) Acceptance
1.
2.
A
C
D) Transfer
3. B
How is risk prioritization typically conducted? 4. B
A) Based solely on the likelihood of the risk occurring

6
Risk Level
Determination
B) Based solely on the impact of the risk
C) Based on a combination of likelihood and impact
5.
6.
D
C
D) Randomly assigning priorities to risks

Page 16 Risk Assessment

Risk Assessment

August 24
 1. Introduction to Risk Assessment
2. Risk Assessment vs Gap Assessment vs Audit
3. Critical Components (Areas) of Risk
Assessment

Contents
Contents 4. Types of Risk Assessments
5. Methods to Identify Threats, vulnerabilities,
and countermeasures
6. Evaluation of Threats, Vulnerability, and
Countermeasures
7. Quiz

Page 18 December 27, 202

4 Risk Assessment
Introduction to Risk Assessment
What is Risk Assessment?
• Risk assessment is a systematic process that helps organizations identify, analyze, and prioritize potential risks that could impact their objectives and operations.
• It involves assessing the likelihood of adverse events occurring and the potential impact they could have.
• The main goal of risk assessment is to inform decision-making and implement appropriate measures to mitigate or manage risks effectively, ensuring the safety and success of the endeavor.
It is essential for successful risk management, allowing organizations to make educated decisions and achieve long-term success.

Why Risk Assessment Matters ?

Proactive Risk Identification Optimized Resource Allocation Protecting Reputation and Brand
 Risk assessment allows organizations to anticipate and  Identifying and prioritizing risks assists in allocating  Identifying and addressing reputation-related risks
identify potential risks before they materialize. resources efficiently. helps protect an organization's brand image.
 By being proactive, organizations can implement  Resources can be directed towards high-impact risks,  A positive reputation enhances customer trust and
preventive measures to minimize the impact of adverse optimizing risk mitigation efforts. loyalty.
events.

Informed Decision-Making Regulatory Compliance Engaging Stakeholders

 Through risk assessment, decision-makers gain valuable  Risk assessment ensures organizations meet regulatory  Transparent risk assessment practices build confidence
insights into potential risks and their potential requirements and industry standards. among stakeholders, including customers, investors,
consequences.  Compliance demonstrates a commitment to risk and partners.
 Informed decisions based on risk analysis lead to better management and builds stakeholders' trust.  Engaged stakeholders are more likely to support the
outcomes and resource allocation. organization's objectives.

Business Continuity and Resilience Safeguarding Financial Stability Enhancing Project Management
 Risk assessment helps organizations develop robust  Assessing financial risks enables organizations to make  Risk assessment plays a pivotal role in project
business continuity plans to manage disruptions well-informed financial decisions. management by anticipating project-related risks.
effectively.  By safeguarding financial stability, organizations can  Proactively managing risks leads to successful project
 Being prepared for various risks enhances resilience weather economic uncertainties more effectively. outcomes and minimizes potential setbacks.
and reduces downtime during challenging times.

Risk Assessment
Different Types of Risk

Strategic Operational Hazard Financial

Demand Shortfall Cost Overrun Macroeconomic Debt and interest rates

Customer retention Operational Controls Political Issues Poor Financial management

Pricing pressure Bribery and Corruption Legal Issues Asset losses

Regulation Poor Capacity management Terrorism Goodwill and amortization

Industry or sector downturn Commodity prices Natural disasters Accounting problems

Risk Assessment
Risk Assessment vs Gap Assessment vs Audit

Risk Assessment Gap Assessment Audit

• A risk assessment identifies and • A gap assessment compares the current • An audit is a comprehensive review of
evaluates the threats and vulnerabilities security controls and processes against the organization’s overall security
against an organization’s assets, data the industry best practices and program.
and processes. frameworks. • This helps to understand the current
• This helps us to identify the big risks. • This helps us to know the current effectiveness of the security processes
• Scope: Focuses on specific risks situation in comparison to the target • Scope: Understanding of the security
state. effectiveness
• Scope: Identifies missing controls

Risk Assessment
Critical Components (Areas) of Risk Assessment
• Identify potential threats and vulnerabilities that could exploit the information system's weaknesses.
fdsf
Asset
Identification • This involves understanding the types of attacks, malware, or unauthorized access that could affect the
system.

• Identify potential threats and vulnerabilities that could exploit the information system's weaknesses.
Threat
Identification • This involves understanding the types of attacks, malware, or unauthorized access that could affect the
system.

• Assess and evaluate the vulnerabilities present in the information system.

Vulnerability
Assessment • This involves analysing weaknesses in software, hardware, configurations, and human factors that could be
exploited by threats.

• Evaluate the likelihood or probability of specific threats exploiting vulnerabilities.

Likelihood
Determination • This requires understanding the current threat landscape, historical attack data, and security controls in
place.

• Determine the potential impact of successful attacks on the information system.

fdsf Impact Analysis • Consider the potential consequences in terms of data loss, financial losses, operational disruptions, and
reputational damage.

• Combine the likelihood and impact assessments to determine the overall risk level for each identified threat-
Risk Level vulnerability pair.
Determination
• This step helps prioritize risks based on their severity.

Risk Assessment
Critical Components (Areas) of Risk Assessment
• Based on the risk assessment, recommend appropriate security controls and countermeasures to mitigate or
Control reduce the identified risks.
Recommendations
• These controls could include technical measures, policies, procedures, or user awareness training.

• Evaluate the cost and benefits of implementing specific security controls.

Cost-Benefit
Analysis: • This helps in making informed decisions about which controls to prioritize based on their effectiveness and
cost-effectiveness.

Residual Risk • After implementing security controls, reassess the residual risks—the risks that remain after controls are
Assessment applied—to determine if they are at an acceptable level.

• Document the entire risk assessment process, including the identified risks, assessment results,
Documentation recommended controls, and risk treatment decisions.
and Reporting
• Create clear and concise reports for stakeholders to understand the risk posture of the information system.

• Implement mechanisms for continuous monitoring of the information system's security posture.
Continuous
Monitoring
• Regularly review and update the risk assessment as the threat landscape and the organization's environment
change.

• These components provide a structured approach to managing risks in information systems and are essential for developing effective information
security strategies.
• By following these steps, organizations can identify and address potential threats, vulnerabilities, and risks to protect their information assets
effectively.
Risk Assessment
Types of Risk Assessments
Definition of Quantitative and Qualitative

Quantitative Qualtitative
• A quantitative risk assessment uses numbers such as dollar values. You • A qualitative risk assessment doesn’t assign dollar values. Instead, it
gather data and then enter it into standard formulas. determines the level of risk based on the probability and impact of a
risk.
• The results can help you identify the priority of risks. You can also use the
results to determine the effectiveness of controls. • These values are determined by gathering the opinions of experts.

Difference in Quantitative and Qualitative

Quantitative Qualtitative
• Data can be measured using quantities or metrics and is numerical in • Data used in qualitative analysis is typically non-numerical and presented
quantitative analysis. as text, pictures, videos, or narratives.
• It aims to measure and quantify phenomena. • Gaining understanding and recording the intricacies of human behaviour
and experiences are its main goals.
• Structured procedures, such as surveys with closed-ended questions, are
used to gather quantitative data. • Qualitative data is gathered through techniques including focus groups,
interviews, and observations.
• Larger sample numbers are often needed for quantitative analysis to
reach statistical significance. • Smaller sample sizes can be used for qualitative analysis, which
concentrates on in-depth investigation.
• The data are analysed and conclusions are drawn using mathematical
models and statistical methods in quantitative analysis. • To find themes, patterns, and insights, qualitative analysis entails
evaluating textual, visual, or narrative data.

Risk Assessment
Types of Risk Assessments (Qualitative and Quantitative)
Case Study Quantitative and Qualitative
Qualitative Qualitative
• A company issues laptop computers to employees. The value of each laptop is • A company’s web site sells company products. Due to some recent outages, you
$2,000. This includes the hardware, software, and data. About 100 laptops are trying to identify the most important risks to the Web site. Based on feedback
are being used at any time. In the past two years, the company has lost an from several experts, you have come up with a list. You now want to prioritize
average of one laptop per quarter. these risks. The risk categories are:
• The value of each laptop is $2,000, and the SLE is $2,000. One laptop is lost • DoS attack—Any denial of service (DoS) or distributed DoS (DDoS) attack
each quarter resulting in an ARO of 4. The ALE is calculated as $2,000*4, or that results in an outage
$8,000. You can then use the ALE to determine the usefulness of a control. • Web defacing—Modification of the Web site by unauthorized parties
For example, the company could purchase hardware locks for the laptops in • Loss of data from unauthorized access—Any loss of confidentiality.
bulk at a cost of $10 each. The safeguard value is $10*100 laptops, or $1,000.
• This could be from an attacker accessing customer data. It could also be from an
It’s estimated that if the locks are purchased, the ARO will decrease from 4 to
1. Should the company purchase these locks? attacker accessing any internal private data. It does not include the loss of public
data that is freely available.
• Loss of Web site data due to hardware failure—This indicates the loss of any Web
• You can determine the effectiveness of the control using the following
site data. This can include any data used to show the Web pages to customers. It
calculations:
can also include the Web site application used to retrieve and format the data into
• Current ALE- Annual loss expectancy (ALE) ,$8,000 (ARO of 4*$2,000) Web pages.
ARO with control  1 • Calculated by averaging each of the inputs by the different experts. You determine
the risk level by multiplying the Probability*Impact.
• ALE with control  $2,000 (ARO of 1  $2,000)
• DoS attack ->100 100 100 (1.0*100)= 100
• Savings with control  $6,000 (Current ALE of $8,000  ALE with
• Web defacing-> 50 90 (0.5*90)= 45
control of $2,000)
• Loss of data from unauthorized access ->30 10 (0.3*10)=3
• Safeguard value (cost of control)  $1,000 ($10*100)
• Loss of Web site data due to hardware failure-> 30 90 (0.3*90) = 27
• Realized savings  of $5,000 (Savings with control of $6,000 
safeguard value of $1,000) quarter • Priority now set would be
• DoS>Web defacing> Loss of Web site data due to hardware failure> Loss of
data from unauthorized access.

Risk Assessment
Types of Risk Assessments

Asset-based Process-based Context-based

Risk Risk Risk
Assessment Assessment Assessment

Asset-based risk assessment focuses on Process-based risk assessment Context-based risk assessment takes a
identifying and evaluating risks examines risks within the context of broader perspective, considering the
associated with specific assets within an business processes and workflows. It organization's unique environment,
organization, such as hardware, involves: both internal and external. This
software, data, and infrastructure. This • Mapping key business processes. approach includes:
includes: • Identifying information assets • Evaluating the organization's
• Inventorying and categorizing involved in each process. business objectives and strategy.
assets. • Analyzing vulnerabilities and • Addressing industry-specific
• Assessing the value and criticality of threats at each step. regulations and compliance
each asset. • Assessing the impact of security requirements.
• Identifying threats and incidents on processes and overall • Analyzing the broader threat
vulnerabilities related to these business operations. landscape and emerging risks.
assets. • Assessing how different risk factors
• Evaluating the potential impact if interact and impact the
an asset is compromised. organization as a whole.

Risk Assessment
Methods to identify Threats, vulnerabilities and countermeasures

Threats Vulnerabilities Countermeasures

• A threat is any potential danger. The • Vulnerability assessment is the process • A countermeasure is a security control or
danger can be to the data, the of identifying system weaknesses and a safeguard implemented to reduce a
hardware, or the systems. prioritizing relevant vulnerabilities. risk.
• Two primary methods to identify • Assessments are conducted to identify • Controls to be considered when
threats are: and evaluate vulnerabilities. identifying and evaluating
 Review historical data • The two primary assessments are: countermeasures:
 Threat Modelling  Vulnerability assessments
 In-place controls
 Exploit assessments
 Planned controls
 Control categories

Risk Assessment
Identification and evaluation of threats – Reviewing historical data

Reviewing historical data helps identifying threats

1
Attacks
Past website attacks increase the likelihood of future attacks, but their success depends on the level of protection
implemented since then.

2
Natural Events
If a location experienced hurricanes before, it's likely to face them again, necessitating regular review and
testing of disaster recovery and business continuity plans.

3
Accidents
Accidental events affecting confidentiality, integrity, or availability, like data deletion or user errors,
should be considered in risk assessments.

4
Equipment Failures
Analysing past failures predicts future risks and identifies systems needing more
redundant hardware for improved reliability.

Risk Assessment
Identification and evaluation of threats – Threat modelling

Threat modelling
Reviewing
is a process
historical
used
data
to helps
identify
identifying
possible threats on a system

The system
1 This includes background information on the system

Introduction

Provides information on:

 Threat modelling looks at a
system from the attacker’s
perspective.
 The result of threat Threat profile
modelling is a document 2 This is a list of threats identifying what the attacker may try to
called a threat model. do to the system
 Threat modelling allows
prioritization of attacks
based on their probability of
occurring and the potential
harm. Threat analysis
3 Each threat in the profile is analysed for asset vulnerability
and the effectiveness of existing controls against the threat

Risk Assessment
Identification and evaluation of vulnerabilities

A vulnerability assessment is a process used to discover An exploit assessment attempts to discover what vulnerabilities an
weaknesses in a system. The assessment will then prioritize the attacker can exploit. Exploit assessments are also referred to as
vulnerabilities to determine which weaknesses are relevant. “penetration tests.”

 You can perform vulnerability assessments internally or  You usually start an exploit assessment with a vulnerability
externally. assessment. After you discover weaknesses, you attempt
 An internal assessment attempts to discover weaknesses the exploit.
from within the network. An external assessment attempts  There is a significant difference between the exploit
to discover what attackers outside the company may see. assessment and the vulnerability assessment. Specifically,
 A vulnerability assessment often starts by gathering an exploit assessment is intrusive. The goal is to test the
information. exploit.
 A vulnerability assessment may have multiple goals, such as:
 If the exploit assessment is successful, it can disrupt
operations. With this in mind, you should be cautious
• Identify IP addresses when performing exploit assessments.
• Identify names  Many of the popular vulnerability assessment suites
• Identify operating systems include tools you can use to perform exploit assessments.

Risk Assessment
Identification and evaluation of countermeasures

A countermeasure is a security control or a safeguard which is implemented to reduce a risk

In-place These are controls that are currently installed in the In-Place Controls Planned Controls
1 controls operational system.
These are security controls These are security controls
or measures that have or measures that an
already been implemented organization intends to
within the organization's IT implement in the future but
environment. have not been deployed
Planned These are controls that have a specified yet.
2 controls implementation date.
They are currently active They are part of the
and functioning to address organization's security
specific security risks or strategy and are required to
vulnerabilities. address identified risks or
Controls fall into four primary categories as per vulnerabilities.
Control ISO 27001:2022: Organizational controls,
3 categories Personnel controls, Physical controls and
Technological controls.

Risk Assessment
Control Categories
ISO 27001
► The Standard provides the framework for an effective Information Security Management System (ISMS). It sets out the policies and controls needed to protect organizations
and includes all the risk controls necessary for robust IT security management.
► Below are the control categories as per ISO 27001:2022

Organizational Personnel Physical Technological

Controls Controls Controls Controls
• Information Security Policies • Creation of policies related to • Implementing controls to protect • Using encryption to protect the
creation and implementation as personnel working remotely in against environmental risks such confidentiality and integrity of
per the organization’s approach to terms of information accessed, as fire, flood, and other natural sensitive information both in
information security. processed and stored. disasters. transit and at rest.
• Clear definition, allocation and • Implementing confidentiality and • Establishing secure areas to • Implementing access control
communication of responsibilities non disclosure agreements for protect sensitive information policies and mechanisms to
regarding information security in employees and contractors to facilities. Implementing controls ensure that only authorized users
an organization. protect sensitive information. to restrict and monitor access to have access to information and
secure areas. systems.
• Maintaining up-to-date asset • Conducting pre-employment
inventory, doing proper asset screening and background checks • Proper management of storage • Regularly backing up data and
classification based on sensitivity for employees and contractors. media throughout the cycle of ensuring that recovery procedures
and assigning asset ownership of Also, ensuring that access rights acquisition, use, transportation are tested regularly and
all information assets. are revoked upon termination. and disposal. effectively.
• Creating policies for • Providing ongoing information • Protecting network infrastructure • Implementing network security
implementation of cloud services security training and awareness from unauthorized access, measures, maintaining logs of
in terms of acquisition, use, programs for all employees and interception and damage. security events and monitoring
management and exit. contractors. systems to detect and respond to
security incidents.
Risk Assessment
Quiz
1 fdsf
What is the primary goal of
Risk Assessment?
A) To eliminate all risks entirely C) To implement countermeasures without evaluation
B) To conduct audits of organizational processes D) To identify, assess, and prioritize risks

2 What is the purpose of

asset-based risk
A) To evaluate risks associated with specific
organizational assets
C) To analyze risks based on historical data
D) To implement countermeasures without evaluation
assessment?
B) To assess risks related to employee performance

3 How does Risk Assessment

differ from Gap Assessment
A) Risk Assessment evaluates potential threats, while Gap Assessment C) Risk Assessment identifies financial risks, while Gap Assessment
focuses on process deficiencies, and Audit verifies compliance. focuses on data breaches, and Audit evaluates employee performance.
B) Risk Assessment focuses on compliance, while Gap Assessment D) None of the above
and Audit? evaluates vulnerabilities, and Audit assesses asset values.

4 How is threat modelling

A) By reviewing historical data of past threats
B) By creating hypothetical scenarios of potential threats
D) By implementing technological controls
used in identifying threats?
C) By conducting vulnerability assessments

5 fdsf
What are examples of
control categories in Risk
A) Legal, ethical, physical and operational C) Organizational, personnel, physical, and technological
Assessment? B) Strategic, tactical, and operational D) Financial, technological, personnel and operational

Answers
1. D 2. A 3. A 4. B 5. C

Risk Assessment
Thankyou!
Risk Management Planning

August 2024
 1. Objectives of risk management plan

2. Scope of risk management plan

3. Understanding and assessing the impact of legal and

compliance issues

4. Assigning responsibilities

Contents
Contents
5.

6.
Prioritizing risk elements

Performing cost benefit analysis

7. Risk response strategies

8. Incident management

9. Risk monitoring and control

10. Reporting requirements

11. Quiz

Page 36 Risk Management Planning

 Objectives of risk management plan

Objective of Risk Assessment Plan

• The primary objectives of a risk management plan is to proactively identify, analyze, assess, and mitigate risks that could potentially impact an organization's ability to achieve its strategic
goals and objectives.
• The plan aims to foster a risk-aware culture within the organization, promote decision-making based on risk analysis, and enhance overall risk governance.

Objective related to Risk Assessment include (but not limited to)

Risk • Identifying potential risks that the organization may face in its internal and external environments.
1 Identification • These risks can be related to various aspects, such as operational, financial, compliance, reputational, technological, or strategic.

Risk Analysis and • Analyzing the identified risks to understand their potential impact on the organization.
2 Assessment • The risk assessment process involves evaluating the likelihood of occurrence and the potential severity of consequences.

Risk Mitigation • Develop strategies and action plans to minimize the likelihood and impact of identified risks.
3 and Control • This may involve implementing control measures, process improvements, or risk transfer mechanisms (e.g., insurance).

Risk • Ensuring effective communication of risk-related information to stakeholders at all levels within the organization.
4 Communication • This facilitates informed decision-making and promotes a risk-aware culture.

Monitoring and • Regularly monitoring the effectiveness of risk management strategies and reassessing risks as the business environment changes.
5 Review • The continuous review ensures the plan remains relevant and responsive to emerging risks.

Page 37 Risk Management Planning Confidential

 Scope of risk management plan

Scope of Risk Management Plan

• The scope of the risk management plan outlines the boundaries and extent of risk management activities within the organization.
• The scope may vary based on the organization's size, industry, complexity, and risk appetite.

Risk Assessment plan should cover the following aspects

Organizational
1 Scope
• Define the specific units, departments, projects, or processes that the risk management plan will cover.
• This clarifies which parts of the organization are included in the risk management process.

2 Risk Categories • Identify the different categories of risks that the plan will address, such as financial, operational, compliance, reputational, and strategic risks. Each
category may require distinct assessment and mitigation approaches.

Roles and
3 Responsibilities
• Clearly outline the responsibilities of individuals or teams involved in the risk management process.
• This includes risk owners, risk managers, risk analysts, and other stakeholders.

Risk Tolerance
4 and Appetite
• Specify the organization's risk tolerance level, which represents the amount of risk the organization is willing to accept to achieve its objectives.
Understanding risk appetite helps in determining the appropriate risk response strategies.

Reporting and
5 Escalation
• Establish the reporting and escalation mechanisms for communicating risk-related information to senior management or the board of directors.
This ensures that key decision-makers are informed about significant risks.

6 Timeframe • Define the timeframe for the risk management plan. Risk management is an ongoing process, but the plan may be reviewed and updated
periodically based on changing circumstances.

Page 38 Risk Management Planning Confidential

 Understanding the impact of legal and compliance issues

What is compliance?
• Compliance is a mitigation control that reduces or neutralizes threats and vulnerabilities to an acceptable level.
• It’s important that an organization knows what laws apply to them. Once these are identified, it’s important to ensure that the organization is in compliance.
• When assessing the impact of compliance issues in your organization, you should take two distinct steps. First, identify what compliance issues apply to your organization.
Second, assess the impact of these issues on your business operations.

Some of the key laws that apply to organizations are:

Non-compliance can lead to:
1 Health Insurance Portability and Accountability Act
(HIPAA)
Brand Damage 2 Sarbanes-Oxley Act (SOX)

3 Federal Information Security Management Act

Monetary Penalty (FISMA)
4 Family Educational Rights and Privacy Act
(FERPA)
5 Children’s Internet Protection Act (CIPA)
Legal Implications
6 Payment Card Industry Data Security Standard (PCI
DSS)

Page 39 Risk Management Planning Confidential

 Understanding the impact of legal and compliance issues

How do you identify if a law applies to your organization?

Health Insurance Portability and Accountability Family Educational Rights and Privacy Act

4
(FERPA)

1
Act (HIPAA)
HIPAA applies to any organization that handles health information. FERPA applies to all education institutions and agencies that
Fines can range from $100 per violation to $25,000 per year for receive funding under any program administered by the U.S.
mistakes. Intentional data breaches can lead to fines up to Department of Education. Schools must share student records with
$250,000 and 10 years in prison. students or parents upon request.

Sarbanes-Oxley Act (SOX) Children’s Internet Protection Act (CIPA)

2 5
The SOX Act applies to any business that is required to be CIPA applies to any school or library that receives funding from the
registered with the Securities and Exchange Commission. This is U.S. E-Rate program. Schools and libraries must filter offensive
any publicly traded company. CEOs and CFOs must personally content to minors. Non-compliance risks losing E-Rate discounts.
verify data accuracy. Compliance expenses averaged $5.1 million Defining "offensive" content using local standards can be
for Fortune 500 companies in 2004. challenging.

Federal Information Security Management Act Payment Card Industry Data Security Standard

6
(PCI DSS)

3
(FISMA)
FISMA applies to all U.S. federal agencies. If you work in a federal PCI DSS is not a law, but a standard created by credit card
agency, FISMA applies. A core requirement of FISMA is to identify, companies. Any organization that accepts credit card payments
certify as compliant, and authorize for operation all IT systems in over the Internet needs to comply. Compliance requires following
the organization. 12 security requirements, primarily IT-related best practices.

Page 40 Risk Management Planning Confidential

 Assigning responsibilities
Assigning responsibilities
• The risk management plan specifies responsibilities, this provides accountability. If you don’t assign responsibilities, tasks can easily be missed.
• Responsibility can be assigned to:
• Risk management PM • Departments or department heads
• Stakeholders • Executive officers such as CIO or CFO

Responsibilities and Authority of a Project Manager

• The Project Manager (PM) holds the overall responsibility for project success. To ensure effectiveness, the PM must have the authority to make decisions and resolve issues.
• PM's authority facilitates timely problem-solving. It enables effective management of team conflicts and task alignment.
• PMs must have the authority commensurate with their responsibilities to achieve project success. By aligning responsibility with authority, PMs can lead the project efficiently and
overcome challenges.

• The PM is responsible for the overall success of the plan. Some of the common tasks of a PM are:
• Ensuring costs are controlled • Ensuring information is available to all stakeholders
• Ensuring quality is maintained • Raising issues and problems as they become known
• Ensuring the project stays on schedule • Ensuring others are aware of their responsibilities and deadlines
• Ensuring the project stays within the scope
• Tracking and managing all project issues

• Responsibilities could be assigned for the following activities to the respective project manager:
• Risk Identification - This includes threats and vulnerabilities. The resulting lists of potential risks can be extensive.
• Risk Assessment - This means identifying the likelihood and impact of each risk. A threat matrix is a common method used to assess risks.
• Risk Mitigation Steps - These are steps that can reduce weaknesses. This can also include steps to reduce the impact of the risk.
• Reporting - Report the documentation created by the plan to management. The PM is often responsible for compiling reports.

Page 41 Risk Management Planning Confidential

 Prioritizing risk elements

• One way to identify the most important countermeasures is by prioritizing the risk elements, which are the threats and vulnerabilities. Risks arise when a threat exploits a
vulnerability.
• If the countermeasures have already been matched with the threat/vulnerability pairs, completing this step becomes easier.

Threat/Vulnerability Matrix
Sample
Threats can negatively affect threat/likelihood LOW IMPACT (10) MEDIUM IMPACT (50) HIGH IMPACT (100)
impact-matrix
confidentiality, integrity, or availability.
The severity of the threat is evaluated by
identifying the likelihood it will affect one High threat likelihood 100 10 x 1 = 10 50 x 1 = 50 100 x 1 = 100
of these. The impact is evaluated by percent (1.0)
determining the extent to which it will
affect confidentiality, integrity, or Medium threat likelihood
10 x 0.5 = 5 50 x 0.5 = 25 100 x 0.5 = 50
availability. 50 percent (.50)

Low threat likelihood 10 x 0.1 = 1 50 x 0.1 = 5 100 x 0.1 = 10

10 percent (.10)

Page 42 Risk Management Planning Confidential

 Prioritizing risk elements

Prioritizing Countermeasures

1 Use the threat/vulnerability matrix to prioritize risks and countermeasures. For example, if an organization was not using any
antivirus software, there is a high likelihood that
systems would become infected. If several
Higher risk scores indicate higher potential losses and should be addressed before systems became infected, the impact would also
2 lower-scoring risks. be high. A high likelihood of 100 percent times a
high impact of 100 gives a score of 100.
Evaluate threats and vulnerabilities based on existing countermeasures in place.
3 However, you may have antivirus software
installed on all your systems. In the past year,
The likelihood and impact of a risk determine its score; high likelihood and high imagine that only one malware incident caused
4 impact result in higher scores. problems after a single user disabled the antivirus
software. The malware tried to spread but was
quickly detected by antivirus software on other
Identify critical risks based on their scores and potential impact on the organization. systems. In this example, there is a low likelihood
6 and a low impact giving a score of one.

The threat scores may not be definitive; human judgment is essential to prioritize
7 based on the organization's needs.

Page 43 Risk Management Planning Confidential

 Cost - Benefit analysis

What is cost-benefit analysis?

• The cost-benefit analysis (CBA) is a significant step when evaluating a control. The cost of the control is compared to the cost of the risk if it occurs. If
the control costs more to implement than the cost of the risk, it isn’t cost effective.

How to calculate a cost-benefit analysis?

• Two pieces of data are not required to perform an effective CBA. The cost of the control should be known, along with the projected benefits of the control.
• The projected benefits can be calculated with the following formula:

Loss before control - Loss after control = Projected benefits

• You can then determine if the control should be used with this formula:

Projected benefits - Cost of control

Positive value Negative value

If the result is a positive value, the control is If the value is negative, the control costs more
worthwhile. than the benefits and shouldn’t be purchased.

Page 44 Risk Management Planning Confidential

 Risk response strategies

Mitigation aims to reduce the probability or

Based on the prioritization of risks and the outcomes of the cost- impact of a risk to an acceptable level through
benefit analysis, develop specific strategies to respond to each proactive measures.
identified risk. 1 Mitigation Strategies may include implementing controls,
improving processes, enhancing training, or
upgrading technology.

Acceptance involves acknowledging the

Document Strategies existence of a risk but deciding not to take
action to avoid or mitigate it.
For each risk response strategy, the following should 2 Acceptance It is suitable when the cost of mitigation
outweighs the potential impact of the risk or
be clearly documented in detail:
when the risk falls within acceptable
thresholds.
► Rationale
Avoidance seeks to eliminate the risk entirely
by altering plans, processes, or activities to
► Responsibilities Avoidance circumvent the risk source.
3 It often involves strategic decisions to not
pursue certain activities or ventures that carry
high inherent risks.
► Timelines
Transfer shifts the financial or operational
consequences of a risk to another party,
► Resources required for implementation typically through contracts, insurance, or
4 Transfer outsourcing.
It allows organizations to leverage external
expertise or resources to manage risks more
effectively.

Page 45 Confidential
 Incident management

What is incident management?

• Incident management refers to the process of identifying, analyzing, and responding to security incidents in order to minimize their impact on an
organization. It involves a structured approach to managing and resolving incidents swiftly and effectively.

1. Establish Incident Response Plan 3. Continuous Improvement

► Define a structured approach for detecting,
responding to, and recovering from security
► Review and update the IRP regularly to
incidents and crises related to identified risks.
incorporate lessons learned from past incidents,
► Outline roles and responsibilities of incident changes in the risk landscape, and emerging
response team members and stakeholders, threats.
specifying their tasks during different phases of
► Document post-incident reviews to identify areas
incident management (e.g., detection,
for improvement and adjust response procedures
containment, eradication, recovery, and lessons
accordingly.
learned).

2. Testing and Training

► Conduct regular testing and simulations of the IRP to validate its effectiveness and readiness.
► Provide ongoing training and awareness programs for employees to ensure they understand their roles and responsibilities in incident response.

Page 46 Risk Management Planning Confidential

 Risk monitoring and control

What is risk monitoring?

• Risk monitoring is the ongoing process of observing, tracking, and assessing risks to an organization's assets, operations, and objectives.
• It involves systematically reviewing risk factors and indicators to detect changes, trends, or new risks that could impact the organization.

Overview of risk monitoring

• Establish Monitoring Mechanisms:
1. Implement tools and processes to continuously monitor identified risks, including key risk indicators (KRIs), thresholds, and triggers for
escalation.
2. Automate monitoring where possible to ensure timely detection of changes in risk exposure.

• Regular Risk Reviews:

1. Conduct regular reviews of risk assessments and risk registers to verify the effectiveness of existing controls and identify new or emerging
risks.
2. Engage stakeholders in risk review meetings to gather diverse perspectives and ensure comprehensive risk coverage.

• Control Effectiveness Evaluation:

• Evaluate the effectiveness of risk controls through periodic assessments and audits.
• Address any gaps or deficiencies in controls promptly and implement corrective actions as necessary.

Page 47 Risk Management Planning Confidential

 Reporting Requirements

Introduction
After collecting data on the risks and recommendations, you need to include it in a report. You will then present this report to management. The primary purpose of the report is to allow management
to decide on what recommendations to use. There are four major categories of reporting requirements. They are:
• Present recommendations—These are the risk response recommendations.
• Document management response to recommendations—Management can accept, modify, or defer any of the recommendations.
• Document and track implementation of accepted recommendations— This becomes the actual risk response plan.
• Plan of action and milestones (POAM)—The POAM tracks the risk response actions.

Present Recommendation
Compile the collected data into a report. It will include the lists of threats, vulnerabilities, and recommendations. You then present this report to management. Management will use this data to decide
what steps to take.
This report should include the following information:
• Findings
• Recommendation cost and time frame
• Cost-benefit analysis

Findings
The findings list the facts. Remember, losses from risks occur when a threat exposes a vulnerability. Risk management findings need to include threats, vulnerabilities, and potential losses. These are
described as cause, criteria, and effect.
• Cause—The cause is the threat. For example, an attacker may try to launch a DoS attack. In this case, the threat is the attacker. When you list the cause, it’s important to identify the root cause. A
successful attack is dependent on an attacker having access and the system being vulnerable. Risk management attempts to reduce the impact of the cause, or reduce the vulnerabilities.
• Criteria—This identifies the criteria that will allow the threat to succeed. These are the vulnerabilities.
•Effect—The effect is often an outage of some type. For example, the effect on a Web site could be that the Web site is not reachable any more.
An important consideration as you document findings is resource availability. It could be that all the discovered issues were previously known. However, money may not have been allocated to purchase
the solutions in the past. It’s also possible that manpower wasn’t adequate to implement the solutions.

Page 48 Risk Management Planning Confidential

 Reporting Requirements

Cost Benefit Analysis Document Management Response

to Recommendations.
It is a process used to determine how to manage a risk. If the benefits of a control outweigh the costs, the
control can be implemented to reduce the risk. If the costs are greater than the benefits, the risk can be After you present your managers with the recommendations, they will decide what to
accepted. In this context, the CBA should include two items: do. They can accept, defer or modify recommendations.
• Cost of the recommendation—The recommendation is the control intended to manage the • Accept—Management approves the recommendation. Approved recommendations
risk. If you anticipate that there will be ongoing costs, you should include them in the are funded and implemented. They will then be added to a POAM for tracking.
calculation. • Defer—Management can also defer a recommendation. It may still be implemented
• Projected benefits—Calculate benefits in terms of dollars. Benefits can be expressed as later. However, do not include it in the list of accepted recommendations.
money earned or losses reduced. • Modify—Management can also decide to modify a recommendation. For example,
you may recommend a firewall. Management may decide on two firewalls to
implement a demilitarized zone (DMZ). On the other hand, you may recommend a
Recommendation Cost and $4,000 firewall. Management may decide to purchase an $800 firewall instead.

Time Frame
The report will include a list of recommendations. These recommendations will address the Document and Track Implementation
potential causes and criteria that can result in the negative effect. of Accepted Recommendations
Each item should include the cost required to implement it. Also include the timeline to
implement the solution. Management will use this data to decide if the solution should be It’s important to document the decisions made by management. As time passes, the
applied. decisions can become distorted if you don’t document them. This is especially true if the
recommendations are deferred or modified.
• It could be a simple document listing the recommendation and the decision. It could
look similar to this:
Risk Statements • Recommendation to purchase AV software.
• Recommendation to hire an IT administrator.
Reports are often summarized in risk statements. You use risk statements to communicate a • Recommendation to purchase $750 firewall.
risk and the resulting impact. They are often written using “if/then” statements. The “if ” part
of the statement identifies the elements of the risk. The “then” portion of the statement
identifies the effect

Page 49 Risk Management Planning Confidential

 Reporting Requirements

Plan of Action and Milestones Case Study

A plan of action and milestones (POAM) is a document used to track progress. POAMs are used in Consider the Web site risk management plan. The Web site has been
many types of project management. A POAM is used to assign responsibility and to allow attacked. It has suffered two major outages in the last two months. The
management follow-up. cause of these two incidents is probably well known. However, all the
threats and vulnerabilities are probably not known. The initial POAM might
• Assignment of responsibility—The POAM makes it clear who is responsible for each task. have the following generic items:
When a task is not completed on schedule, it also makes clear whom to hold accountable.
• Approve risk management plan: Assigned to ______ Due by _____
• Management follow-up—PMs and upper level management can use the POAM to follow up
on a project. The POAM allows managers to quickly determine the status of any project. • Identify threats: Assigned to ______ Due by ______
When project management tools are used, the source of the problem is often easy to
identify. • Identify vulnerabilities: Assigned to ______ Due by ______

Each line item could include the following details: • Identify potential solutions: Assigned to ______ Due by ______
• Task name • Approve risk response plan: Assigned to ______ Due by ______
• Associated threat or vulnerability • Scheduled start date
• Begin implementation of plan: Assigned to ______ Due by ______
• Risk level (low, medium, or high) • Actual start date
• Milestone due date • Complete implantation of plan: Assigned to ______ Due by ______
• Step or milestone name
• Assignment of responsibility • Current status Later, when management approves the specific recommendations, you
• Scheduled completion date can create a POAM for the approved and modified recommendations. Each
• Point of contact recommendation within the POAM could have multiple line items. For
• Estimated cost • Actual date of completion example, the task to upgrade the firewall could be the major milestone.
• Comments When all of the tasks are completed, the milestone is met.
• Actual cost
• Estimated person hours to complete task • Actual person hours to complete task • Log current firewall activity: Assigned to ______ Due by ______
• Purchase two SS75 firewalls: Assigned to ______ Due by ______
• Create firewall policy: Assigned to ______ Due by ______
• Test firewalls: Assigned to ______ Due by ______

Page 50 Risk Management Planning Confidential

Quiz

1 fdsf
What is the primary
purpose of defining the
A) To assign responsibilities to team members C) To establish the goals and boundaries of risk
management activities
objectives and scope of a
risk management plan? B) To identify legal and compliance issues D) To prioritize risk elements based on their severity

2 How does a risk

management plan
A) By performing cost benefit analysis C) By assigning responsibilities to team members
B) By understanding and assessing legal and compliance D) By implementing incident management strategies
prioritize risk elements?
impacts

3 Why are reporting

requirements important in
A) To perform cost benefit analysis
B) To communicate risk management activities and C) To assign responsibilities to team members
risk management planning? outcomes to stakeholders D) To prioritize risk elements based on legal and
compliance impacts

4 Name two types of risk

response strategies used in
A) Risk avoidance and risk acceptance
B) Incident detection and incident recovery
C) Legal compliance and regulatory assessment
D) Cost analysis and benefit evaluation
risk management planning:

5 fdsf
What does incident
management involve in the
A) Assigning responsibilities for risk monitoring C) Developing protocols for detecting, responding to,
and recovering from incidents
context of risk management
planning? B) Prioritizing risk elements for immediate action D) Performing cost benefit analysis after incidents occur
Answers
1. C 2. A 3. B 4. A 5. C

Page 51 Risk Management Planning

Risk Assessment
Thankyou!
Business Continuity Management

August 2024
 1. Introduction, Objective &
Scope to Business Impact
Analysis
2. Steps of Business Impact
Analysis Process
3. BIA approach

Contents 4. BIA risk framework & areas

5. Business Continuity Plan (BCP)
6. Disaster Recovery Plan (DRP)
7. Best Practices for BCP & DRP
8. Overview of ISO 22301 and
other relevant standards
9. Quiz
Introduction to Business Impact Analysis

What is Business Impact Analysis (BIA)?

► A Business Impact Analysis (BIA) serves as an examination aimed at determining the consequences arising from business disruptions, particularly when it comes to the breakdown
of critical IT functions.
► In essence, a BIA assists in pinpointing the IT systems vital for an organization's continuity. To underscore, survivability denotes an organization's capacity to endure potential losses
attributable to risks. Certain losses, if left unaddressed, have the potential to be so debilitating that they could ultimately lead to business failure.

Key Terms for BIA Why BIA is crucial for organizations?

► Maximum Acceptable Outage (MAO): ► Risk Identification and Prioritization: BIA helps organizations identify potential risks and
Maximum Acceptable outage is the maximum amount of time a system or service can be down vulnerabilities that could disrupt critical business operations.
before affecting the mission. The MAO is sometimes referred to as maximum tolerable outage ► Resource Allocation: BIA provides data that enables organizations to allocate resources
(MTO) or maximum tolerable period of disruption (MTPOD) strategically.
► Customer Service Delivery Document: ► Cost Management: By understanding the potential financial impact of disruptions,
A service level agreement (SLA) is a document that identifies an expected level of performance. It organizations can develop cost-effective recovery plans.
identifies the minimum uptime or the maximum downtime. Organizations use SLAs as a contract
between a service provider and a customer.
► Reduced Downtime: With a comprehensive BIA, organizations can establish Recovery Time
Objectives (RTOs) and Recovery Point Objectives (RPOs) for critical processes.
► Critical Business Functions (CBFs):
► Compliance and Regulatory Requirements: Identify gaps in the existing compliance
Any functions considered vital to an organization. If a CBF fails, the organization will lose the ability agreements (whether regulatory like HIPAA, GDPR).
to perform essential operations. For example: sell products / services to the customer which in turn
will lead to loss of revenue. ► Reputation Management: BIA exercises helps organisation identify the various critical risk
from IT & Non-IT perspective and acts as an early indicator warning.
► Critical Success Factors (CSFs):
► Other elements include Operational Resilience, Stakeholder Confidence, Decision Support etc.
Any element necessary to perform the mission of an organization. An organization will have a few which brings in more confidence in the customer / client. Ensure that clear decisions are made
elements that must succeed in order for the organization to succeed. Example: Reliable Network regarding any investment in technical aspects and also as a long-term vision of the
Infrastructure. organisation.

Page 55 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
Objective

Objectives of Business Impact Analysis

The overall objective of the BIA is to identify the impact of outages. More specifically, the goal is to identify the critical functions that can affect the
organization. After identifying these, you can identify the critical resources that support these functions.

01 02 03 04
Identify Critical Lorem Ipsum Critical
Identify is Lorem IpsumIdentify
is MAO and Identify Recovery
Business Functions simply dummy
Resources simply dummy
Impact Requirements
Determine which business text The critical resources are those
text The MAO helps you determine The recovery requirements show
processes are essential for the that are required to support the which CBFs you need to recover the time frame in which systems
organization's survival and CBFs and restart as soon as possible must be recoverable.
success. after a disaster They also identify the data that
must be recovered.

CBF- Critical Business Function MAO- Maximum Acceptable Outage CSF- Critical Success Factor

Page 56 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
Scope

Defining the early scope of a Business Impact Analysis (BIA) is crucial for maintaining focus. The scope depends on the organization's size; smaller ones may
encompass everything, while larger ones might target specific areas. A clear scope statement prevents misinterpretation and ensures the BIA accurately
identifies vital functions for continuity. The following points can help us understand and analyse the scope of BIA:

1. Size-Dependent Scope: 2. Scope Boundaries:

Defining clear boundaries is crucial in BIA to
BIA typically considers the size and complexity of
the organization when defining its scope. The
ensure that all critical business functions and 5. Importance of Clear Scope:
their dependencies are included. Scope
scope may vary based on the organization's
industry, geographical spread, and the number of boundaries help in focusing BIA efforts on Clear scope definition is essential for effective BIA
critical business functions that need to be essential aspects of the organization that are because it provides a framework for stakeholders
assessed. most critical to its operations and resilience. to understand the boundaries and objectives of
the analysis. It helps in prioritizing resources,
3. Early Scope Definition: 4. Phase-Based Analysis: focusing efforts on critical areas, and ensuring that
Early definition of scope involves all necessary aspects are covered. Clear scope also
identifying the objectives and expected Phase-based analysis refers to conducting BIA facilitates communication among stakeholders,
outcomes of BIA. This includes clarifying in structured phases or stages to ensure ensuring that everyone involved in BIA
which business functions will be analyzed, comprehensive coverage. Phases may include understands their roles and responsibilities.
the depth of analysis required for each initial scoping and planning, data collection and
function, and the timeline for completing analysis, impact assessment, recovery
BIA activities. objectives determination, and reporting.

Page 57 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
Process Steps

Identify the Environment

 The first step identifies the overall IT environment. This means having a good understanding of the
business function. This includes the number of customers and the number of transactions. If sales
revenues are generated, you should know the sales amounts.

01 Identify Stakeholders
 Stakeholders are those individuals or groups that have a direct stake or interest in the success of a

02
project. A stakeholder can help ensure that you have adequate resources available. This includes simple
matters, such as ensuring personnel are available for interviews for the BIA.

03 Identify Critical Business Functions

 The critical functions are those that will have a direct impact on the profitability or survivability of an
organization. Some BIAs are designed to focus on a critical function from the beginning.

04
Identify Critical Resources
 Determine the resources (internal and external) needed to support important business functions.
Personnel, technology, data, buildings, equipment, suppliers, and other dependencies are examples of
resources.

Page 58 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
Process Steps

Identify Maximum Downtime

 Determine the maximum allowable downtime for each critical business function, known as the Recovery
Time Objective (RTO).
 The RTO represents the time within which the function must be restored to prevent severe impacts on the
organization.

05
Identify Recovery Priorities

06  Prioritize recovery efforts based on the criticality of business functions, resources, and RTOs.
 This step aids in the optimal allocation of resources and the concentration of recovery efforts on the most crucial
components.

07 Develop BIA report

 Gather all the information acquired during the BIA process and compile it into a detailed report.
 Details on important functions, impact analysis, resource dependencies, recovery priority, and
RTOs should all be included in the report

Page 59 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
BIA approach

Identified the business sub-functions Assessed business impact analysis

Dataset Identified / validated the datasets (confidentiality, integrity, availability
Identify and respective stakeholders of each in- Assessed BIA
Validation handled by each business sub-function and privacy ratings) for defined
scope department
parameters

Conducted discussions with the Identify Analyzed result of BIA to identify the
identified stakeholders to understand Identified / validated the systems /
crown jewels
Crown Jewels
Discussion applications
Applications/
the activities and processes for each
Systems
business sub-function

Page 60 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
 BIA risk framework – impact parameters and scales

The risk framework considers impacts on the following parameters in case The impact scales are defined quantitatively and qualitatively depending on
of loss of CIAP. the impact parameter
Operational
• Loss of management control 1 2 3 4 5
• Costs related to productivity decline Very low Low Medium High Very high
• Loss of assets
• Recovery costs
Strategy • Financial Fraud No loss / Minor loss / Moderate Significant Complete loss /
• Loss of innovation 1 •
•
Decrease of data quality (inconsistency)
Bypass internal automated controls
impact impact loss / impact loss / impact impact

Qualitative
capabilities
• Impact on strategic
growth areas
No manual Limited manual Manual Manual All data is
processing of processing of processing of processing of manually
Reputational / compliance data non-crucial non-crucial crucial data processed
data data
5 • Loss of confidence by suppliers,
stakeholders (e.g. compliance

2 auditor, Quality Control

department) or regulators
0 $<1m $1m - 10m $10m - 50m >$50m
• Damage to public Image
• Penalties or legal liabilities N/A One country Two countries One region Two or more
regions
Employee

Quantitative
N/A 8 hours 24 hours 3 days 1 week
• Loss of staff morale
• Total Incidents
Customer No loss 1 staff with light 2-5 staff with 1 staff with More than 1
4 injuries light injuries significant staff with
3 • Delay of service delivery or decreased
service quality
injuries or
more than 5
significant
injuries or 1
• Loss of sales, orders or contracts (revenue) staff with death
light injuries

Page 61 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
Definitions: BIA Areas

Confidentiality Integrity Availability Privacy

Business impact if there is a

privacy breach (i.e. If someone
Business impact if the data is Business impact if the data Business impact if the data (or
accesses the data or passes it on
disclosed to the unauthorized (or functionality) is functionality) is unavailable
without proper authorisation; or if
tampered with (i.e. when needed.
parties (or functions accessed by the data is made unavailable and
unauthorized parties). inaccurate). this unavailability has a significant
What it means?
negative effect on individuals.

Whether the data is disclosed to Whether the data is Whether the data is Whether the dataset
unauthorized parties like: maintained: unavailable for: includes:
• Organisations employee - Same
department • Locally • 20 minutes • Personal data
• Organisations employee - • Centrally • 2 hours • Sensitive personal data
Outside department • 8 hours
Impact Criteria • 3rd party (i.e.. Customer / • 1 day
Supplier) • 1 week
• Competition
• Public

Page 62 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
 Risk Score Matrix

Risk score matrix

Crown jewels
The below table maps numerical risk scores basis the risk impact scales
Datasets which exceed the defined cut-off risk scores for the BIA areas, defined by the enterprise risk management team for each Business Impact
that is, for CIAP Areas on CIAP. The risk scores are derived using the risk framework and the
weightages that were assigned to each impact scale (from very low to very
high). Each criteria defined as explained in slide 09 were part of the CIAP
areas which were used to calculate the risk impact scores.

Determining criteria for Crown Jewels 1 2 3 4 5

Very low Low Medium High Very high

The cut-off risk scores have been determined by taking into

consideration aspects such as the following in case the data is not
Availability 0.00 0.01 - 4.00 4.01 - 7.00 7.01 - 13.00 13.01 & above
available, or there is an unauthorized access to data, or the data’s
integrity is not maintained, or if personal data is compromised:
• Cost involved due to the disruption and recovery of operations
Confidentiality 0.00 0.01 - 6.00 6.01 - 20.00 20.01 - 40.00 40.01 & above
• Loss of revenue
• Potential legal liabilities with financial penalties
• Impact on innovation/strategy Integrity 0.00 0.01 - 3.00 3.01 - 7.00 7.01 - 16.00 16.01 & above
• Impact on employee morale/safety
If the impact on above mentioned parameters is High or Very High, then
the dataset is a crown jewel. Privacy 0.00 0.01 - 3.00 3.01 - 8.00 8.01 - 14.00 14.01 & above

Page 63 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
 Business Continuity Plan (BCP)

► “Business Continuity Plans” are an important element of risk management.

► They help an organization plan for a major disruption or disaster and ensure that critical business functions (CBFs) continue to
operate.

Need for BCP

Notification/activation phase
• Threats and disruptions result in revenue loss, increased costs, and reduced Called by the BCP coordinator
profitability.
• Relying solely on insurance is insufficient.
• BCPs are preconceived strategies involving input from key stakeholders and
personnel.
Recovery phase
• The BCP's scope encompasses the entire organization, including IT systems,
facilities, and personnel. CBFs are recovered and returned to full operation
• BCP doesn't imply that all organizational elements must operate during
disruptions; instead, it evaluates all elements.
• BCP identifies and prioritizes mission-critical elements that require
continuous operation. Reconstitution phase
• Non-mission-critical elements that can be suspended aren't within the
purview of the BCP.
Organization returns to normal operations

Page 64 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
 Disaster Recovery Plan

► A “Disaster Recovery Plan (DRP)” is a plan to restore a critical business process or system to operation after a disaster.
► It is used to respond to a wide range of disasters as per business environment.

Need for DRP Area BCP DRP

Wider, encompasses overall Specific, deals with recovery of

Scope emergency response. individual systems.
• Organizations with critical missions must plan for disasters.
• Halting mission-supporting operations leads to business Restoring one or more systems after
Sustaining an organization's
Objective business
a major hardware, software failure,
interruption. or facility destruction.
• A Disaster Recovery Plan (DRP) is essential to ensure
Identifying critical systems, Details needed for system recovery,
continuity. Focus defining acceptable downtimes. including steps and processes.
• Pre-planning is crucial because waiting until disaster strikes is Ensures continuity of operations Facilitates the restoration of
ineffective. Purpose during disruptions. systems to operational state.
• DRP outlines critical systems and methods for recovery. Aims to keep the organization Aims to regain system functionality
Outcome functioning amid disruptions. post-disaster.
• BCP identifies critical system and DRP guides recovery.
• Without DRP, recovery may be compromised. Key Goal Minimize downtime and maintain Swift recovery of essential systems
essential operations. to minimize impact.

Page 65 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
 Elements of BCP

The purpose of the BCP is to ensure that mission-critical elements Notification/Activation Phase is the point when the disruption has
1 of an organization continue to operate after a disruption. 6 occurred or is imminent.

Just as with any project, you need to define the scope of the BCP. During the recovery phase, the Technical Recovery Team's
The success of the project is dependent on personnel 2 objectives encompass restoring temporary operations to critical 7
understanding the tasks. systems, and repairing damage to the original systems.

Every BCP needs to include some basic assumptions and planning Every BCP needs to include some basic assumptions and planning
3 principles. These are very helpful in the initial development of the 8 principles. These are very helpful in the initial development of the
BCP. They are also useful in the implementation phases. BCP. They are also useful in the implementation phases.

The BCP identifies critical business functions that need to remain Ensure personnel are trained comprehensively on the BCP to
operational during the disruption. Each of these CBFs has 4 impart detailed knowledge; while testing and exercises validate 9
individual systems that support it. the plan's functionality and practical application.

When you assign responsibilities, this makes things clear to all "Plan Maintenance" involves regularly updating and refining the
5 concerned. When tasking is not completed or behind schedule, it 10 Business Continuity Plan (BCP) to ensure its effectiveness over
is easier to get it back on track. time.

Page 66 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
 Elements of DRP

Purpose Emergency Response

1 The DRP starts with a simple

statement identifying its
purpose.
6 Stakeholders are more inclined to work
with an organization that shows a strong
commitment to risk management and
business continuity.
Scope Recovery Plan
The scope of any project helps
identify the boundaries. 2 The recovery plan identifies steps
for rebuilding and recovering a
system after a disaster. 7
Disaster Critical Business Operation

3 When a disaster or emergency

occurs, or is imminent, the DRP is
implemented.
8 If data needs to be restored, an effective
backup plan. One of the first steps is to
identify critical data.

Communications Recovery Procedures

4 9
Several communications elements Specific recovery procedures are
are important to the success of a identified for all the servers and
DRP i.e Users, customers services in the DRP.

Activities

5 The Emergency Response section

identifies several emergency
response steps to take,.
10
Critical Operations, Customer
Service, and Operations Recovery

Page 67 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
 Benefits of BCP

Benefits of BCP Benefits of BCP

A Business Continuity Plan (BCP) offers numerous benefits to organizations,
 Employee Morale and Engagement:
ensuring their ability to navigate and recover from various disruptions and
challenges: A well-executed BCP includes provisions for employee safety,
communication, and support during disruptions. This fosters a sense of
 Minimize Downtime: security, loyalty, and engagement among employees.

A BCP helps organizations continue critical operations during disruptions,

 Stakeholder Confidence:
minimizing downtime and reducing financial losses.
Investors, partners, suppliers, and other stakeholders have more
 Risk Management: confidence in an organization that has a solid BCP. They know that the
organization is prepared to navigate challenges and maintain stability.
By identifying potential risks and vulnerabilities, a BCP enables proactive
risk management strategies that can prevent or mitigate the impact of
 Cost Savings:
disruptions.
While investing in BCP might involve upfront costs, it can lead to
 Data Protection: significant cost savings in the long run. The ability to recover quickly from
disruptions can minimize financial losses associated with downtime, data
A BCP includes measures to safeguard data, ensuring that it remains loss, and recovery efforts.
accessible and secure even in adverse situations.  Brand Reputation:
 Customer and Stakeholder Trust:
A well-prepared organization that can continue delivering products and
Maintaining operations during disruptions demonstrates reliability to services during disruptions is likely to have a positive impact on its brand
customers, clients, and stakeholders, fostering trust and maintaining reputation. This can differentiate the organization from its competitors
positive relationships. and attract new customers.
 Compliance and Regulations:  Improved Decision Making:

Many industries have regulatory requirements for business continuity BCP provides a structured framework for decision-making during crises.
planning. Having a BCP in place ensures compliance and helps avoid legal With predefined roles, responsibilities, and procedures, leadership can
and regulatory issues. make informed decisions more efficiently.

Page 68 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
 Benefits of DRP

Benefits of DRP Benefits of DRP

A Disaster Recovery Plan (DRP) offers several key benefits to organizations:  Reduced Financial Loss:
 Minimize Downtime: Disruptions and downtime can lead to significant financial losses due to
halted operations, decreased productivity, and potential reputational
A well-designed DRP helps minimize downtime in the event of a disaster. damage. A DRP helps mitigate these financial losses by enabling a quicker
It ensures that critical systems and data are quickly restored, reducing recovery.
the impact on business operations and minimizing financial losses.
 Reputation Protection:
 Data Protection:
Customers and stakeholders value organizations that can maintain
DRP safeguards your data from loss or corruption. Regular backups and operations and services during difficult times. An effective DRP helps
recovery strategies ensure that data remains intact and available even protect the organization's reputation by demonstrating preparedness and
after a disaster. resilience.
 Business Continuity:  Employee Safety and Confidence:
By providing a roadmap for recovery, a DRP helps maintain business A DRP not only focuses on technology and data recovery but also
continuity during and after a disaster. This means that essential services includes procedures to ensure employee safety during a disaster. When
can continue operating, maintaining customer trust and preventing employees know their well-being is a priority, their confidence in the
reputation damage. organization increases.
 Risk Reduction:  Faster Recovery Time:
DRP identifies potential risks and vulnerabilities in advance, allowing you With a well-defined DRP, recovery time is significantly reduced because
to take proactive measures to mitigate them. This minimizes the the plan outlines clear steps, responsibilities, and procedures. This means
likelihood of a disaster and its impact. the organization can bounce back more quickly after a disaster.
 Compliance and Regulations:  Competitive Advantage:
Many industries have regulations that mandate disaster recovery Potential partners, clients, and investors may be more inclined to work
planning. Having a DRP in place ensures compliance with these standards with an organization that demonstrates a strong commitment to risk
and may prevent legal issues. management and business continuity.

Page 69 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
 Best Practices for BCP

Complete the BIA early

Ensure the BIA is done early in the process for the BCP. Without the BIA, you won’t
know what systems are critical. You also won’t know what priority to use to recover
the systems.

Exercise caution when returning

functionality from alternate locations
When restoring functionality from an alternate location to the primary location,
consider these best practices:
• Restore least critical functions first to the primary location.
• Use concurrent processing after a disruption.
01 02 03 04 05
Review and update the BCP regularly
The BCP coordinator should review and update the BCP at least annually. If critical
systems are changed or modified between annual reviews, the BCP should be
reviewed when those changes or modifications occur.

Test all the individual pieces of the plan

This includes basic procedures, such as recalls. It also includes the more detailed
procedures documented in DRPs.

Exercise the plan

Verify the plan works by performing test exercises. These exercises should not
affect normal operations.

Page 70 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
 Best Practices for DRP

Developing and maintaining an effective Disaster Recovery Plan (DRP) is crucial for ensuring the continuity of critical business operations in the event
of disasters, disruptions, or unforeseen incidents. Here are some best practices for creating and implementing a DRP:

Ensure BIAs have

been completed 1 BIAs identify critical business functions. The critical business functions are used to identify the critical business
operations and critical servers and services.

Start with a clear

purpose and scope 2 The purpose and scope statements help ensure the DRP stays focused. Resources are wasted when steps and
procedures are taken that are outside the scope of the DRP.

Review and update

the DRP regularly 3 You should review the DRP at least annually. If you change critical systems covered by the DRP, you should review
the DRP to determine if the changes affect it.

Test the DRP

4 Testing ensures that you can implement the DRP as expected. When testing the DRP, it should not affect normal
operations.

Page 71 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
 Overview of ISO 22301

What is ISO 22301? Benefits of adopting ISO 22301 standard

• ISO 22301 is an internationally recognized standard published by the International

Organization for Standardization (ISO).
• It provides a systematic framework for establishing, implementing, operating,
monitoring, reviewing, maintaining, and continually improving a Business Continuity
Management System (BCMS).
Improved business performance A better understanding of critical
• This internationally recognized standard enhances risk management, organizational and organizational resilience issues and areas of vulnerability
resilience, and competitiveness

Key elements of ISO 22301 are:

• Understanding internal and external factors affecting continuity.

• Top management's support and involvement. Companies with multiple sites can Reduced costs and less impact on
rely on the same consistent business performance should
• Identifying and mitigating risks. approach something go wrong
• Allocating necessary resources.
• Identifying critical processes and dependencies.
• Developing strategies for uninterrupted operations.
• Designing and implementing the BCMS. Provides ability to reassure client, Help organizations respond to,
• Monitoring and measuring BCMS effectiveness. suppliers, regulators and other and recover from disruptions
stakeholders effectively
• Continuously enhancing the BCMS based on performance data.

Page 72 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
 Elements of ISO 22301

In ISO 22301, the key elements related to business continuity management are organized into different clauses and sections of
the standard. Here are the primary areas addressed by ISO 22301
Scope, Normative References, and Terms and Definitions: These sections introduceS the standard, define key terms, and set the scope of the Business
Continuity Management System (BCMS).

Leadership and Commitment: This section outlines the leadership's role in

establishing, implementing, and maintaining the BCMS, including assigning 1
responsibilities and providing necessary resources. Planning: This section covers the critical planning aspects of business
2 continuity, such as conducting a Business Impact Analysis (BIA),
Support: This section addresses resource allocation, competence, awareness, conducting a risk assessment, developing business continuity
communication, and documentation required to support the BCMS effectively. 3 strategies and plans, and setting objectives.

Operation: Here, the standard focuses on implementing and executing

4 the business continuity plan, incident response, and recovery
Performance Evaluation: This section discusses the monitoring and activities.
measurement of the BCMS's performance, including conducting internal audits 5
and management reviews.
6 Improvement: This part emphasizes the need for continuous
improvement, which includes taking corrective actions, implementing
Documentation and Records: ISO 22301 requires organizations to maintain preventive measures, and learning from experiences.
documentation and records related to their business continuity activities and 7
management system.

Page 73 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
 Criteria for ISO 22301 Certification

Establish a BCMS Performance Monitoring

1 Develop and implement a Business

Continuity Management System
(BCMS) based on ISO 22301
requirements.
6 Establish monitoring and measurement
processes to evaluate the effectiveness
of the BCMS.

Risk Assessment Documentation

Identify and assess potential risks and
vulnerabilities that could disrupt
business operations.
2 Maintain documented
information that describes the
BCMS and related processes. 7
Develop and Test Plans

3 8
Create comprehensive Business
Training and Awareness
Continuity Plans (BCPs) and Disaster
Provide training and awareness programs to
employees and relevant stakeholders.
Recovery Plans (DRPs), and regularly test
them.

Leadership Commitment: Audit and Review

Ensure top management's
commitment to and involvement in
BCMS implementation
4 Conduct regular internal audits
and management reviews to
assess and improve the BCMS. 9
Resource Allocation Certification Audit

5 Allocate necessary resources,

including personnel, technology,
and financial resources. 10 Engage a certified external auditor to assess
compliance with ISO 22301 standards.

Page 74 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
 NIST 800 - 53

What is NIST 800 -53

The National Institute of Standards and Technology (NIST) Special Publication 800-53, titled "Security and Privacy Controls for Information Systems and
Organizations," provides a comprehensive set of security controls that can be used to establish and manage an effective security program for
information systems and organizations. Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) are important components of
information security, and NIST 800-53 addresses them in various control families.

Elements for BCP Elements for DRP

Contingency Planning (CP) Family (CP-1 to CP-10):
Incident Response (IR) Family (IR-1 to IR-8):
► CP-2: Contingency Plan
► IR-2: Incident Response Training
► CP-4: Contingency Plan Testing and Exercises
► IR-4: Incident Handling
► CP-5: Plan of Action and Milestones
► IR-6: Incident Reporting
► CP-6: Alternate Storage Sites
► IR-8: Incident Response Plan
► CP-7: Alternate Processing Sites
► CP-8: Telecommunications Services
► CP-9: Information System Backup
► CP-10: Information System Recovery and Reconstitution

Page 75 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
 ISO 27001

What is ISO 27001

ISO 27001, which is the international standard for Information Security Management Systems (ISMS), addresses Business Continuity Planning (BCP)
and Disaster Recovery Planning (DRP) primarily in the following sections and clauses:

Elements for BCP & DRP

► Clause 6.1.3 - Information Security Risk Assessment: requires organizations to consider ► Clause 8.2 - Information Security Policies for Secure System Engineering: requires
the impact of information security incidents on the confidentiality, integrity, and organizations to establish and maintain policies for secure system engineering. This
availability of information when assessing risks. This is where the link to BCP and DRP is can include requirements for designing systems that are resilient and capable of
established since these plans are designed to maintain availability during incidents. recovering from disasters.
► Clause 8.2 - Information Security Policies for Assets: requires organizations to establish ► Clause 8.2 - Information Security Policies for Supplier Relationships: requires
and maintain policies for the use and protection of information security assets. These organizations to establish and maintain policies for supplier relationships. These
policies can include requirements for business continuity and disaster recovery policies may include requirements for suppliers to have their own BCP and DRP in
planning. place.
► Clause 8.2 - Information Security Policies for Access Control: requires organizations to ► Clause 8.2 - Information Security Policies for Information Security Incident
implement access controls for information security assets. Access control policies may Management: requires organizations to establish and maintain policies for incident
include provisions for ensuring the availability of critical systems during disruptions. management. This includes specifying procedures for managing incidents, which
often involve BCP and DRP.
► Clause 8.2 - Information Security Policies for Cryptographic Controls: requires
organizations to establish and maintain policies for the use of cryptographic controls. ► Clause 14.1 - Information Security Aspects of Business Continuity Management:
These controls may be an integral part of BCP and DRP efforts to protect data during states that the organization shall determine the necessary competence for
and after incidents. personnel involved in the information security aspects of business continuity
management.

Page 76 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
Quiz

1 What is the scope of a Business Impact 2 Which approach is commonly used in 3 What does the Business Continuity Plan
Analysis (BIA)? Business Impact Analysis (BIA) to assess (BCP) primarily focus on?
A) Analyzing potential risks to IT infrastructure the impact of disruptions? A) Short-term incident response
B) Assessing the impact of business disruptions on A) Quantitative analysis B) Long-term business growth strategies
operations B) Operational assessment C) Maintaining critical business operations during
C) Evaluating customer satisfaction metrics C) Strategic alignment and after disruptions
D) Defining legal compliance requirements D) Customer satisfaction survey D) IT system development and implementation

4 Which international standard is commonly 5 What is the purpose of a Disaster 6 What is a key component of a Disaster
referenced for Business Continuity Recovery Plan (DRP)? Recovery Plan (DRP) related to IT systems?
Management Systems (BCMS)? A) To identify and mitigate business risks A) Employee training protocols
A) ISO 9001 B) To maintain critical IT systems and B) Marketing and promotional campaigns
B) ISO 27701 infrastructure C) Customer communication strategies
C) ISO 22301 C) To improve customer service standards D) Data backup and restoration procedures
D) ISO 27001 D) To enhance employee training programs

Answers:
7 What is the primary objective of 8 What are the benefits of having a Business
1. B 6. D
Business Impact Analysis (BIA)? Continuity Plan (BCP)?
A) To identify business continuity risks A) Improved employee morale and productivity 2. A 7. C
B) To assess the financial impact of a disaster B) Increased market share and profitability 3. C 8. D
C) To prioritize critical business functions C) Enhanced customer satisfaction and loyalty
D) Minimized financial loss and operational 4. C
D) To develop IT recovery strategies
downtime 5. B

Page 77 Business Impact Analysis (BIA), Business Continuity Plan (BCP) & Disaster Recovery Confidential
Plan (DRP)
Thank you!
Risk Management
Frameworks

October 2024
 1. Relevant NIST Frameworks
2. Securities and Exchange Commission (SEC)
Cyber Security Rule

Contents 3. Relevant ISO Standards

4. Introduction to FEDRAMP
5. Quiz
 NIST Cybersecurity Framework (CSF)

Set of guidelines published by NIST for mitigating organizational cybersecurity risks based on existing
NIST
1 standards, guidelines, and practices

CSF
v1.1 Provides guidance to organizations to better understand, manage, reduce, and communicate cybersecurity
2 risks, in turn guiding the organizations to improve their cybersecurity posture

Framework Core Implementation Tiers Framework Profile

Business Environment , Governance, Threat, The maturity level of the cybersecurity framework which the Assist in prioritizing the cybersecurity activities with the business
Identify (ID)
Vulnerabilities, Risk, etc. organisation desires to achieve. objectives of the organization.

Assets, Information, Data, Intellectual Partial - Cyber Security Program is Capture the present state and maturity level of the organization
Protect (PR) Tier 1 Ad hoc.
Property Rights, etc. cybersecurity program.

Anomalies, Events, patterns, unauthorised Risk-Informed - Cybersecurity roles are Captures the target or to-be state that the organisation desires to
Detect (DE) Tier 2
actions etc. beginning to be defined achieve.

Incident Response strategy, Test response Repeatable - Cybersecurity program is Assist in conducting an in-depth comparison between the
Respond (RS) Tier 3
plan, Legal reporting, etc. defined in approved policies. current and target state.

Adaptive - Robust cybersecurity program is Identify the gaps in their cybersecurity practices and develop a
Recover(RE) Recovery Planning, Communication with Tier 4 implemented, and the organization desires to roadmap for improvement and prioritize their efforts to enhance
stakeholders, restoration techniques, etc.
achieve readiness for emerging threats their cybersecurity posture.

Page 81 Risk Management Frameworks Confidential

 NIST SP 800-37 – Risk Management Framework

Organizations classify the information system and the data it

handles according to the potential impact of a security breach.

Once the system is authorized, ongoing Monitor Categorize Organizations select security controls
monitoring and continuous assessment are based on the system's categorization and
crucial. the organization's specific requirements.

Prepare

Authorize Select
Based on the assessment results, the
authorizing official (AO) makes a Organizations need to ensure that the
determination about whether to authorize controls are effectively integrated into the
the system to operate. system's design and operations.

Assess Implement

Security controls are assessed to determine if they are

effectively implemented and functioning as intended.

• It's critical to take note of that the NIST RMF can be custom-made to suit the particular requirements and setting of an association. The degree of
thoroughness applied to each step can fluctuate in view of variables like the awareness of the information, the association's gamble resilience, and its
administrative prerequisites.

Page 82 Risk Management Frameworks Confidential

 NIST SP 800-53 – Security & Privacy Controls for Information Systems

NIST SP 800-53 Control Families

The purpose of the NIST SP 800-53 publication is to:
Physical and Environment
 Provide guidelines for selecting and specifying security and 1 Access Control 11
Protection
privacy controls for organizations and information systems
supporting the executive agencies of the federal government to 2 Awareness and Training 12 Planning
meet the requirements of FIPS Publication 200, Minimum
Security Requirements for Federal Information and Information
3 Audit and Accountability 13 Program Management
Systems.
 There are 20 Control Families which further constitutes of 276 4
Assessment, Authorization,
14 Personnel Security
controls and 636 control enhancements. Monitoring

Key Highlights of NIST SP 800-53 PII Processing and

5 Configuration Management 15
Transparency
NIST SP 800-53 is mandatory for all U.S. federal government
Applicability agencies and contractors but can be adopted by any private 6 Contingency Planning 16 Risk Assessment
organizations
Identification and System and
7 17
Authentication Services Acquisition
Security NIST SP 800-53 defines a catalogue of security controls that
organizations can select and implement to protect their System And Communications
Controls information systems 8 Incident Response 18
Protection

System And Information

9 Maintenance 19
Privacy In addition to security controls. NIST SP 800-53 also includes a Integrity
Controls set of privacy controls to address privacy related considerations Supply Chain
10 Media Protection 20
Management

Page 83 Risk Management Frameworks Confidential

 Securities and Exchange Commission (SEC) Cyber Security Rule
The four main components of the final SEC cybersecurity disclosures requirements are as follows:
Important changes from proposing release to
Cybersecurity incident Structured data the final rule
disclosure requirements
Form 8-K within four business days The SEC received more than 150 comment letters
from the date the registrant related to the proposed cybersecurity disclosures rule.
determines the incident is material. • Registrants must tag the
required disclosures
The form includes the nature,
using Inline XBRL As a result, the following are examples of key changes
scope, timing, and impact or
reasonably likely impact on the beginning one year after that were made during the finalization of the rule:
registrant. initial compliance with
the related disclosure • Expanded the scope of the incident
SEC requirement.
disclosure
cyber
disclosures • Added a time delay for Form 8-K/Form 6-K
Cybersecurity risk rule disclosure of incidents that could pose a risk
management to national security or public safety
Cybersecurity • Removed the disclosure of incidents and
• Describe its processes for assessing, governance
identifying and managing material risks
from cybersecurity threats in sufficient
related updates on Forms 10-Q/10-K for
detail for a reasonable investor to • Describe management’s role domestic registrants and Form 20-F for
understand those processes, including: in assessing and managing
• Whether the registrant considers
material risks from foreign private issuers (FPIs)
cybersecurity threats.
cybersecurity risks as part of its overall
risk management program • Disclose whether and which
• Omitted the proposed aggregation of
• Whether the registrant engages management positions or immaterial incidents for materiality analyses
assessors, consultants, auditors or other committees responsible for
third parties assessing and managing cyber • Streamlined the proposed disclosure
risks, including discussion of
• Whether the registrant has processes to their relevant expertise. elements related to risk management,
oversee material risks from threats
associated with its use of any third- • Board’s oversight of risks from strategy and governance
party service providers cybersecurity threats.
• Removed the proposed requirement to
disclose board cybersecurity expertise

Page 84 Risk Management Frameworks Confidential

Securities and Exchange Commission (SEC) Cyber Security Rule
Item Summary description of the disclosure requirement
Regulation S-K Item 106(b) — risk Registrants must describe their processes, if any, for the assessment, identification and management of material risks from
management and strategy cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to
materially affect their business strategy, results of operations or financial condition.

Regulation S-K Item 106(c) — Registrants must:

governance
• Describe the board’s oversight of risks from cybersecurity threats.
• Describe management’s role in assessing and managing material risks from cybersecurity threats.

Form 8-K Item 1.05 —material Registrants must disclose any cybersecurity incident they experience that is determined to be material, and describe the material
cybersecurity incidents aspects of its:
The following is a • Nature, scope and timing

summary of the • Impact or reasonably likely impact on the registrant, including its financial condition and results of operations
An Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing as
finalized described below, if the United States Attorney General (Attorney General) determines immediate disclosure would pose a substantial
risk to national security or public safety.
cybersecurity Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or
was unavailable at the time of the initial Form 8-K filing.
disclosure
requirements Form 20-F Foreign private issuers (FPIs) must:
• Describe the processes, if any, for the assessment, identification and management of material risks from cybersecurity threats, and
describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business
strategy, results of operations or financial condition.
• Describe the board’s oversight of risks from cybersecurity threats.
• Describe management’s role in assessing and managing material risks from cybersecurity threats.

Form 6-K FPIs must furnish information on material cybersecurity incidents promptly on Form 6-K if the information is (1) distributed to
stockholders or to a national exchange (if the information is made public by that exchange) or (2) required to be made public under the
registrant’s domestic laws.

Page 85 Risk Management Frameworks Confidential

ISO 22301:2019 – Business Continuity Management System

The international standard introduces 10

The purpose of ISO 22301:2019 (BCMS) is to prepare for,
clauses, which are as follows:
provide and maintain controls and capabilities for managing
an organization’s overall ability to continue to operate during
Scope
disruptions. A BCMS emphasizes the importance of:
 understanding the organization’s needs and the
1 This clause explains the
applicability of the standard.
necessity for establishing business continuity policies
and objectives;
 operating and maintaining processes, capabilities and Normative Reference
response structures for ensuring the organization will
survive disruptions;
2 This clause explains how to deal
with dated and undated normative
references within the standard
 monitoring and reviewing the performance and
effectiveness of the BCMS;
Terms and Definitions
 continual improvement based on qualitative and
quantitative measures. 3 This clause explains the terms
and their respective definitions
used within the standard.

Page 86 Risk Management Frameworks Confidential

 ISO 22301:2019 – Business Continuity Management System

Clauses
This International Standard applies the “Plan-Do-Check-Act” (PDCA) model to planning, establishing,
implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of
an organization’s BCMS. The following figure illustrates a mapping between clauses requirements and the 04 Context of the Organization
PDCA approach:

05 Leadership

06 Planning

M an iew
i sh

ai d
bl )

nt
Interested Interested

ai
Re ct 0 a
st an

n
v ) E l
(P use 7
s
(A se 1
Cl

Parties
au

a
Cl ,5,6
, Parties
PDCA model
4
07 Support

applied to
BCMS
processes
08 Operation
r& Im
ito w pl
on ie ) e
M Rev eck 9 t & me
09
Op
Requirements
h e
( C a us (
er n Managed Performance Evaluation
Cl Cl Do ate
au )
for BC se
8
BC

10 Improvement

Page 87 Risk Management Frameworks Confidential

 ISO 27001:2022 – Information Security Management Systems

ISO 27001:2022 is a framework designed to establish, implement, maintain and continually improve information security management system (ISMS). It
addresses requirements for the assessment and treatment of information security risks tailored to the needs of the organization and preserves the
confidentiality, integrity and availability of information by applying a risk management process .

Key Control Areas Importance of ISO 27001:2022

ISO 27001:2022 provides a more Improved efficiency and clear
Organization Controls People Controls robust approach to cybersecurity segregation of duties across
► Policies for information ► Remote working and data privacy that is better fundamental pillars of process
security ► Information security equipped to handle future threats.
► Inventory of information awareness, education and
37 and other associated 8 training
assets ► Confidentiality or non-
► Identity management disclosure agreements High degree of governance and
► Information security for ► Information security event visibility across each area such
use of cloud services reporting as cost, effort, risks etc.

Physical Controls
Technology Controls
► Physical security
► Privileged access rights
perimeters Migrating ensures compliance with
► Data masking the latest security protocols,
► Securing offices, rooms and
demonstrating a commitment to
14 facilities 34 ► Secure system architecture
protecting sensitive information The updated standard provides a
► Equipment maintenance and engineering principles more comprehensive and advanced
and maintaining industry
► Management of technical standards. approach to security, which
► Secure disposal or re-use minimizes the risk of data breaches
vulnerabilities
of equipment and cyber-attacks.

Page 88 Risk Management Frameworks Confidential

 Key differences between ISO 27001:2013 & ISO 27001:2022

Major changes 11 new controls introduced in ISO 27001:2022

• 57 Controls merged to 24 Control ID Control Name Requirement

Track the latest types of threats in the industry and build defences that will help mitigate those
A.5.7 Threat Intelligence threats.
• 23 Controls renamed
Information Security for use of Roles and responsibilities of both the cloud service provider and the organisation shall be
A.5.23 cloud services defined in the contracts.
• 35 Controls remain same ICT readiness for business Identify critical ICT systems, develop business continuity plans, test and exercise plans regularly,
A.5.30 continuity train employees, and regularly review and update the plans.

• 1 Split Control A.7.4 Physical security monitoring Premises needs to be continuously monitored for unauthorised physical access.
A.8.9 Configuration management Configuration of all the hardware, software, network and services needs to be documented.

New Attributes A.8.10 Information deletion

Excess information that is no longer required shall be deleted from all the systems as per the
data retention policy.

A.8.11 Data masking Data masking techniques should be implemented to mask the PII or sensitive PII data.

Information Data leakage measures to be implemented in order to avoid unauthorized disclosure of

Control Type Cybersecurity A.8.12 Data leakage prevention sensitive information such as monitor potential leakage channels, disabling download to
security
Concepts removable storage, restricting copy and paste of data, encryption.
properties
The following logs can be monitored for the networks, systems, and applications such as
A.8.16 Monitoring activities Security tool logs, event logs, inbound and outbound traffic, etc.

Web filtering tools needs to be installed and network logs and incident logs to be documented
A.8.23 Web filtering which were raised due to accessing malicious websites.
Operational Security
Capabilities Domains Secure coding standards and guidelines to be documented and communicated to the
A.8.28 Secure coding developers and periodic review to be performed to code to identify and address vulnerabilities.

Page 89 Risk Management Frameworks Confidential

 ISO 27001 Audits

An ISO 27001 audit involves reviewing the ISMS and testing whether it meets the requirements of the standard. The standard requires that an
organisation is required to plan and conduct a internal audit in order to be compliant to the standard. If an organisation wants to achieve certification,
external audit is required to be carried out by a certification body

What is involved in Internal Audit? The processes for external audit is Types and stages of external audit
essentially the same as for the ► Stage 1 audit – “Documentation Review” to
internal audit but usually carried out establish that the organisation has the required
1 for the purpose of achieving and documentation for an operational ISMS.
maintaining certification. ► Stage 2 audit – “Certification Audit” – an
2 evidential audit to confirm that the
Documentation Evidential organisation is operating the ISMS in
The relevant auditor will provide a
Review Audit accordance with the standard. This evidential
plan of the audit and once this is
audit is conducted on a sampling basis.
confirmed by the organisation, ► Surveillance audit – Also known as “Periodic
resources will be allocated and dates, Audits”, these are carried out on a scheduled
Steps times and locations agreed. The audit basis in between certification and
5 will then be conducted following the recertification audits and will focus on one or
Management Analysis audit plan. more areas of the ISMS.
Review ► Recertification audit – Carried out before the
certification period expires and is a more
3 thorough review than those carried out during
Audit report a surveillance audit. It covers all areas of the
standard.

Page 90 Risk Management Frameworks Confidential

 ISO 27701:2019 - Privacy Information Management System (PIMS) framework

ISO/IEC 27701:2019 provides guidance for establishing, implementing, maintaining and continually improving - a PIMS (privacy information
management system) based on the requirements, control objectives and controls in the information security management standard ISO/IEC
27001:2013, and extended by a set of privacy-specific requirements, control objectives and controls.

Importance of ISO 27701

ISO 27701 PIMS framework
Establish – Establish the scope, context, objectives, underlying policies and associated documentation for PIMS
Scope, Context & Objectives Policies Associated Documents Builds trust
SOP - Risk assessment & risk treatment Privacy Impact Assessment Guidelines in managing
ISMS & PIMS Scope Statement PIMS Policy
PII
SOP – Internal Audit Privacy Notices
Context of the Organization Data Privacy Policy Guidelines for Communication Plan Guidelines for PII Controller & Processor Supports
compliance
Global Information Security Data Processing Agreements with
Privacy Objectives Consent Management Guideline with privacy
Policy processors and customers
Non Disclosure Agreements Website privacy and cookie policy regulations
Data Retention and Disposal
Statement of Applicability
Policy PII data request response templates Reduces
complexity by
integrating with
Implement – Set up privacy governance Monitor & Review – Perform periodic Maintain & Improve – Identify ISO / IEC 27001
framework and implement controls review activities improvement opportunities & take Facilitates
Operations Performance Evaluation corrective actions effective
business
Privacy Governance Framework Internal audit for privacy Improvement
relationships
Data Mapping Sheet
Risk assessment for privacy SOP - Corrective actions
Data Process Templates for controller & processor
Clarifies roles
Privacy Impact Assessment for applicable and
Checklist for Privacy by Design & Security Controls processes (PIA templates)
for Privacy
responsibilities
Privacy Training and Awareness Management Review Meetings

Page 91 Risk Management Frameworks Confidential

ISO 31000:2018 – Risk Management

ISO 31000:2018 is an international standard for risk management that provides a framework and set of principles for
organizations to establish and implement effective risk management.

WHY ISO 31000?

1.Improve operational efficiency and
governance
2.Increase stakeholder confidence in
Risk Management Risk Management Risk Management
your risk management techniques
Principles Framework Process
Using the established Risk 3.Strengthen operational controls,
11 Fundamental Systematic and
comprehensive structure Management Framework including mandatory and voluntary
guidelines that provide a
for identifying, assessing, to effectively implement reporting
foundation for effective
treating, monitoring, and risk mitigation strategies 4.Improve business performance, crisis
risk management within
communicating about risks and reduce the impact of management and organisational
an organization
risks.
resilience
5.Respond to change effectively and
protect business as you grow

Page 92 Risk Management Frameworks Confidential

ISO 31000:2018 – Risk Management Framework

Risk Management Framework

Risk Management Process

Scope, context, criteria

Communication and consultation

Monitoring and Review

Risk assessment
Value
Creation Risk identification
Risk identification
&
Protectio
n analysis
Risk analysis

Risk
Risk evaluation
evaluation

Risk Treatment

Recording & Reporting

Page 93 Risk Management Frameworks Confidential

Introduction to FEDRAMP

• The Federal Risk and Authorization Management Program (FedRAMP) is a

government-wide program that provides a standardized approach to security
assessment, authorization, and continuous monitoring for cloud products and
services. This approach uses a “do once, use many times” framework that: Applicable standards and regulations
• Ensure adequate information security for cloud-based services;
• Eliminate duplication of efforts and reduce risk management costs; and
Standards Description
• Enable rapid and cost-effective procurement of information systems /
services for federal agencies. NIST SP 800-53A Guide for Assessing the Security Controls in Federal
Revision 4 Information Systems
• FedRAMP came into recognition in early 2012 and is the result of close collaboration NIST SP 800-30 Guide for Conducting Risk Assessment
with cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Revision 1
Federal CIO Council and its working groups, as well as private industry.
NIST SP 800-137 Information Security Continuous Monitoring for
• Cloud Service Providers (CSPs) for the government are required to implement
Federal Information Systems and Organizations
FedRAMP security requirements on their environment and get assessed by
independent organizations (FedRAMP approved Third Party Assessment
NIST SP 800-145 NIST Definition of Cloud Computing
Organization, 3PAO). FIPS 199 Standards for Security Categorization of Federal
Information and Information Systems
• Since FedRAMP authorization is required for any CSP working with the federal
FIPS 140-2 Security Requirement for Cryptographic Modules
government, gaining the FedRAMP Joint Authorization Board (JAB) acceptance and
accreditation approval of cloud offerings including infrastructure, platform, and FIPS 200 Minimum Security Requirements for Federal
software as a service (IaaS, PaaS, SaaS) has become a primary competitive Information and Information Systems
advantage.

Page 94 Risk Management Frameworks Confidential

Introduction to FEDRAMP

The following details provides high level overview of the steps for achieving FedRamp authorization

1 2 3 4 5

Readiness Full Security Authorization Remediation Final Review

Assessment* Assessment Review
CSP and 3PAO JAB Reviewers /
Readiness assessment Full securityassessment JAB P-ATO or Agency
remediate system and agency review and
is performed by 3PAO is performed by 3PAO reviews the package and
documentation issues validate the
and report is provided provides necessary
(for Agency as needed and ensure remediation efforts,
to JAB P-ATO for recommendation and gaps
Authorization) and all JAB Reviewer the CSP to receive a P-
review. On review, the as identified
comments are ATO decision based on
organization can be details provided to JAB appropriately mitigated the review
designated FedRAMP P-ATO or Agency
Ready
respectively
* Only of CSPs opting
for JAB authorization FedRAMP
Continuous
Monitoring

Page 95 Risk Management Frameworks Confidential

Quiz
1 Which framework focuses on privacy
information management and
fdsfguidance for implementing
provides
A) ISO/IEC 27701 C) NIST CSF
and maintaining a Privacy Information B) ISO 31000 D) ISO/IEC 27001
Management System (PIMS)?

Which framework provides a

2 comprehensive set of controls A) ISO/IEC 27701 C) ISO 31000
and safeguards for managing and B) NIST Special Publication 800-53 D) NIST Cybersecurity Framework (CSF)
protecting organizational
information assets?

Which framework focuses on

3 business continuity management A) ISO 22301 C) NIST Special Publication 800-53
and ensuring organizations can B) NIST Special Publication 800-37 D) ISO 31000
continue operating during and after
disruptive events?

Which framework is specifically

4 designed to provide guidelines A) ISO 31000 C) FEDRAMP
for risk management in cloud
services for the federal
B) ISO/IEC 27701 D) NIST CSF
government?

5 Which framework is primarily

used by federal agencies in the
fdsf A) ISO 22301 C) SEC CyberSec Rule
United States to manage
information security and risk?
B) NIST CSF D) NIST Special Publication 800-53

Answers
1. A 2. B 3. A 4. C 5. D

Risk Management Frameworks

Thank you!
Cyber Risk & Resilience

July 2023
 1. Cyber Risk vs Cyber Resilience
2. Impact of Emerging Technologies on Cyber Risk
and Resilience
3. Challenges in Cyber Risk Management and

Contents Resilience
4. Future Trends and Opportunities
5. Risk-Informed Decision Making
6. Resilience-Informed Decision Making
7. Quiz

Page 99 | Embed visibility and traceability into your supply chain

 Cyber Risk vs Cyber Resilience

Cyber Risk Cyber Resilience

Cyber risk refers to the potential loss or harm related to technical infrastructure, use of Cyber resilience refers to an organization's ability to anticipate, withstand, recover
technology, or reputation of an organization resulting from a cyber-attack or data from, and adapt to adverse conditions, stresses, attacks, or compromises on systems
breach. It is the risk of financial loss, operational disruption, or damage from the failure that use or are enabled by cyber resources. It is the ability of a computing system to
of the digital technologies employed for informational and/or operational functions recover quickly should it experience adverse conditions, and it requires continuous
introduced to a manufacturing system via electronic means from the unauthorized effort and touches on many aspects of information security, including disaster
access, use, disclosure, disruption, modification, or destruction of the manufacturing recovery, business continuity, and computer forensics
system.
• Cyber resilience is highly beneficial for organizations as it includes
• Cyber risk is never a matter purely for the IT team, and all types and sizes of defending, mitigating, and recovering from threats such as a
organizations are at risk, not only financial services firms, defence cybersecurity breach or cyberattack.
organizations, and high-profile names which make the headlines. • Cyber resilience is an organization's ability to reduce damage from an
• Cybersecurity risk management is an essential part of every organization's attack, as well as respond and recover quickly in the event of an attack.
enterprise risk profile, and cybersecurity controls are typically designed and • Cyber resilience involves putting organizations in a position to overcome
implemented across the entity to mitigate cyber risks. insufficiencies in cybersecurity, stop cyber incidents, and pick themselves
• Cyber risk is any risk associated with financial loss, disruption, or damage to back up if a cyber threat does manage to slip through security controls.
the reputation of an organization from failure, unauthorized, or erroneous • Cyber resilience is built up over time and refers to the preparations an
use of its information systems. organization makes to deal with threats and vulnerabilities, the defences
• Cybersecurity risks relate to the loss of confidentiality, integrity, or that have been developed, and the resources that are available for
availability of information, data, or information (or control) systems and mitigating a security failure after the fact.
reflect the potential adverse impacts to organizational operations (i.e.,
mission, functions, image, or reputation) and assets, individuals, other
organizations, and the Nation.
• Example:- Firewalls, Encryption, Penetration testing, Web Application
Setting.

Page 100 Cyber Risk & Resilience Confidential

 Cyber Risk vs Cyber Resilience

Differentiating between cyber risk and cyber resilience ensures a balanced approach to cybersecurity, encompassing
prevention, mitigation, response, and recovery strategies.

Cyber Risk Cyber Resilience

Minimizing the likelihood of successful attacks Minimizing the likelihood of an impact from an incident

Establishing security infrastructure to protect against

common threats, Ex- Security policy and procedures, Web Preparing for, responding to, and recovering from cyberattacks
Application Security.

Overcoming insufficiencies in cybersecurity, stopping cyber

Securing critical resources from prevalent risks
incidents, and picking up after an attack

Focuses on adversarial threats Covers adversarial and non-adversarial threats

Cyber risk management activities are often preventive and Cyber resilience efforts are responsive and ongoing, with
ongoing, with regular assessments and adjustments to continuous monitoring and adjustment to recovery and
security measures. continuity plans

Cyber risk management is typically proactive and ongoing, Cyber resilience often involves a more reactive and adaptive
focusing on identifying and mitigating risks before they approach, aiming to minimize downtime and disruptions
materialize. during and after incidents.

Page 101 Cyber Risk & Resilience Confidential

 Impact of Emerging Technologies on Cyber Risk and Resilience : IOT

Expansion of Attack Surfaces

► IoT devices increase the number of entry points into organizational networks, broadening the attack surface for cyber attackers.
► Each IoT device, if compromised, can serve as a foothold for attackers to access sensitive data and compromise network security.
► The diversity of IoT devices introduces various vulnerabilities and security challenges, requiring specific configurations and updates to maintain network integrity.
► Securing IoT devices demands robust measures like encryption, authentication, and continuous monitoring to mitigate potential risks and protect organizational assets.

Present Recommendation
► IoT devices, operating on diverse platforms and protocols, complicate secure integration into existing cybersecurity frameworks.
► Security vulnerabilities like default credentials and insufficient encryption in IoT devices pose significant risks to organizational data and systems.
► Effective management and regular updates are crucial to mitigate these vulnerabilities and enhance the security posture of IoT deployments within organizations.

Example

► The Mirai botnet exploited vulnerabilities in IoT devices, leveraging default credentials to orchestrate large-scale DDoS attacks in 2016, causing significant disruptions to major
internet services.
► This incident underscores the critical importance of implementing robust security measures for IoT devices to prevent exploitation and mitigate potential risks effectively.
► Organizations must adopt proactive risk management strategies to identify and address vulnerabilities in IoT devices before they can be exploited by malicious actors.
► Enhancing cybersecurity measures for IoT devices involves regular updates, strong authentication practices, and continuous monitoring to safeguard against similar threats in
the future.

Page 102 Risk Management Planning Confidential

 Impact of Emerging Technologies on Cyber Risk and Resilience : AI

Enhancing Cybersecurity
► AI technologies like machine learning and predictive analytics bolster cybersecurity defenses by automating the detection and response to threats.
► These AI-powered systems excel in real-time analysis of extensive data sets, enabling quicker identification of anomalies and potential threats compared to conventional methods.
► Leveraging AI for cybersecurity enhances the ability to proactively detect and mitigate emerging threats before they escalate.
► Implementing AI-driven solutions requires continuous refinement and integration with existing security frameworks to maximize effectiveness and adaptability in combating
evolving cyber threats.

Risks of AI in Cyberattacks
► Cybercriminals are leveraging AI for sophisticated attacks, including AI-generated phishing emails and adaptive malware designed to evade detection.
► The integration of AI in cyberattacks presents significant challenges to traditional cybersecurity approaches, necessitating adaptive and proactive defense strategies.
► Defending against AI-driven cyber threats requires continuous monitoring, advanced AI-powered detection tools, and adaptive security protocols to effectively mitigate evolving
risks.

Example

► Deep learning techniques used in AI-driven malware can replicate human behavior, enabling them to evade detection and carry out precise, targeted attacks.
► Recognizing the capabilities of AI-driven threats is essential for devising robust cybersecurity strategies that effectively mitigate risks.
► Developing resilient cybersecurity strategies involves integrating AI-powered detection and response mechanisms to counter sophisticated AI-driven threats.
► Continuous education and adaptation of defense strategies are critical in staying ahead of evolving AI-driven malware tactics and maintaining robust cybersecurity posture.

Page 103 Risk Management Planning Confidential

 Challenges in Cyber Risk Management and Resilience

Rapid Technological Advancements Regulatory Compliance and

vs. Traditional Security Measures International Standards
► The rapid pace of technological innovation, Challenges in ► Compliance with diverse and evolving regulatory
including AI, IoT, and cloud computing, often Cyber Risk requirements (e.g., GDPR, CCPA) presents
outpaces organizations' ability to update and significant challenges for organizations operating
Management
secure their systems adequately. Legacy systems across multiple jurisdictions. Non-compliance can
and outdated security protocols become
1 and 2 result in severe financial penalties, legal
vulnerable to new and sophisticated cyber threats. Resilience consequences, and damage to reputation.
► Addressing this challenge requires continuous ► Harmonizing international cybersecurity
monitoring of emerging technologies, proactive standards and frameworks facilitates cooperation
risk assessments, and agile adaptation of and information sharing among organizations and
cybersecurity strategies. governments, enhancing global cyber resilience.

Skills Gap in Cybersecurity Workforce

► There is a global shortage of skilled cybersecurity professionals capable of
understanding and mitigating complex cyber threats. This shortage is exacerbated by
the increasing demand for specialized skills in areas such as AI-driven security, IoT
security, and threat intelligence.
► Organizations struggle to recruit and retain cybersecurity talent, hindering their ability
to build robust cyber resilience capabilities.

Page 104 Risk Management Planning Confidential

 Future Trends and Opportunities

Trend
The adoption of AI and machine learning for automated threat detection, analysis, and response is rapidly
growing.
Increased
Automation in Opportunity
Automated systems can detect and respond to cyber threats in real-time, improving incident response
Cybersecurity times and reducing manual intervention.
Defenses
Benefit
Organizations can benefit from enhanced accuracy and efficiency in identifying and mitigating cyber
threats, thereby strengthening overall cybersecurity posture.

Trend
Blockchain's decentralized and immutable ledger is increasingly being explored for enhancing
cybersecurity in transactions and data management.
Blockchain
Opportunity Technology for
Blockchain ensures the integrity and transparency of transactions by eliminating the need for
intermediaries and providing cryptographic security.
Secure
Transactions
Benefit
Applications extend beyond financial transactions to supply chain management, identity verification, and
secure data sharing, offering new avenues for bolstering cyber resilience.

Page 105 Risk Management Planning Confidential

 Future Trends and Opportunities

Trend
Continuous advancements in threat intelligence platforms and analytics capabilities are improving
organizations' ability to proactively detect and mitigate cyber threats.
Advancements
in Threat Opportunity
Enhanced threat visibility and predictive capabilities enable organizations to anticipate and mitigate
Intelligence and emerging threats before they escalate.
Analytics
Benefit
Investment in advanced analytics tools and threat intelligence platforms empowers organizations to stay
ahead of evolving cyber threats and strengthen their cybersecurity defenses.

Trend
The integration of cybersecurity considerations into digital transformation initiatives is becoming a
strategic imperative for organizations.
Integration of
Opportunity Cybersecurity
By embedding cybersecurity into digital initiatives from the outset, organizations can ensure that security into Digital
measures are aligned with business objectives and regulatory requirements. Transformation
Benefit Strategies
Proactively addressing cybersecurity in digital transformation strategies enhances resilience, reduces risk,
and supports sustainable growth in an increasingly digital economy.

Page 106 Risk Management Planning Confidential

 Risk-Informed Decision Making

Risk-informed decision making is a structured approach that evaluates options based on associated risks, including insights from probabilistic risk
assessment, alongside other factors. It prioritizes safety and risk considerations, promoting awareness and comprehensive decision-making. Benefits
include uncovering unexpected issues, enabling clear conversations, aiding decision-makers, offering a holistic view, and providing fresh perspectives.

Methods

Conduct a risk assessment This involves analyzing the potential risks associated with different options or alternatives. A thorough risk assessment
helps to identify and prioritize risks, and provides a basis for decision making

Research and develop Based on the results of the risk assessment, research and develop recommendations for mitigating the identified risks. For
recommendations each risk, define what addressing it will cost in terms of time, effort, and money

At the end of the discussion with stakeholders, create action items and add agreed-upon recommendations to your annual
Develop an annual strategic plan strategic plan

Communicate risks and their Communicate the risks and their implications to stakeholders and decision makers. This helps to ensure that everyone
implications involved in the decision-making process is aware of the risks and can make informed decisions

Implement risk mitigation Implement measures to reduce or mitigate the identified risks. This may involve investing in new technology, improving
measures processes, or changing organizational culture.

Consider risks alongside other When making decisions, consider the risks alongside other factors such as cost, benefits, and stakeholder perspectives. This
factors helps to ensure that decisions are made with an awareness of the risks associated with each option

Page 107 Cyber Risk & Resilience Confidential

 Resilience-Informed Decision Making

Resilience informed decision making is an approach to decision-making that takes into account the ability of a system to withstand and recover from
disruptions and stresses. It is particularly important in the early design stages, where informed decisions must be made to ensure that the developed
system will be resilient. Resilience informed decision-making can be enabled through gamification techniques, resilience assessments, and application
to critical infrastructure networks.

Methods

Develop modelling and design One approach to resilience informed decision making is to develop modelling and design frameworks that enable the
frameworks consideration of features such as system reconfiguration and functional redundancy.

Another approach is to use gamification techniques to integrate decision-making theory with serious gaming, which can help
Use gamification enable resilient informed decision making.

Conduct experimental Conducting experimental investigations can help to understand how people make decisions in the context of repeated
investigations disruptive events, which can inform resilience decision making

Resilience-informed decision making can be applied to critical infrastructure networks to manage inter-dependencies
Critical infrastructure networks and ensure resilience.

Create trauma-informed Trauma and resilience informed tips can be used to create environments that are sensitive to the needs of individuals
environments who have experienced trauma, which can help to promote resilience

Page 108 Cyber Risk & Resilience Confidential

Quiz

1 fdsf
What is the primary focus of
cyber resilience compared
A) Preventing cyber attacks C) Assessing vulnerabilities
B) Recovering from cyber incidents D) Monitoring network traffic
to cyber risk?

2 How do IoT and AI impact

A) They reduce the need for cybersecurity measures
B) They increase attack surfaces and enhance threat
C) They have no impact on cybersecurity
D) They only affect large organizations
cyber risk and resilience?
detection capabilities

3 What is a significant
challenge in cyber risk A) Lack of cybersecurity regulations C) Complexity and rapid evolution of cyber threats
management and B) Slow adoption of emerging technologies D) Excessive budget allocation for cybersecurity
resilience?

4 What does risk-informed

decision making involve in A) Using risk assessments to guide decisions C) Avoiding all technological advancements
cybersecurity? B) Ignoring potential risks for immediate gains D) Implementing cybersecurity measures blindly

5 fdsf
How does resilience-
informed decision making A) It focuses on preventing cyber incidents C) It does not consider potential risks
differ from risk-informed B) It involves reactive measures after incidents occur D) It aims to recover quickly from cyber incidents
decision making?

Answers
1. B 2. B 3. C 4. A 5. D

Page 109 Cyber Risk Risk

& Resilience
Assessment
Thankyou!
Dimensions of Risk Management
(Data Governance)

July 2024
 1. Understanding Data Governance
2. Benefits and Challenges of Data
Governance

Contents
Contents 3. Relationship between risk management
and data governance
4. Understanding DAMA Data Governance
5. Understanding ISO 8000
6. Quiz

Page 112 December 27, 202

4 Data Governance
 Global Data Breaches
Let’s Begin by examining recent global data breach incidents, highlighting the urgent need for effective data governance
practices and underline the critical importance of robust cybersecurity measures and proactive risk management

The Canadian Military and Police Data Breach: On

October 19, 2023, a major cybersecurity breach exposed
personal and financial data of Canadian government
employees, Armed Forces members, and RCMP personnel.
Third-party service providers BGRS and SIRVA Canada, Latitude Data Breach: On March 16,
contracted for relocation support, were involved. 2023, a major cyber-incident hit
Preliminary findings indicate potential exposure for Latitude, exposing personal data from
individuals using relocation services since 1999. millions of Australian and New
Zealand customers , the largest data
breach in an Australian financial
Air Europa Data Breach: On August 23, 2023, institution, affecting 14 million users.
hackers had successfully accessed Spanish Latitude faced a $76 million financial
airline carrier Air Europa's systems, extracting impact and criticism for inadequate
customers’ financial data card numbers, risk mitigation with service providers.
expiration dates, and 3-digit CVV numbers. As a
result, the company had to urge all customers
to cancel their payment methods used for
Forever 21 Data Breach: Between January 5 and reservations.
March 21, 2023, Forever 21 experienced a data
breach, where unauthorized access led to the theft
of employees' personal data and health Indian Council of Medical Research Data Breach: On
information. Hackers intermittently accessed the October 9, 2023, approximately 815 million Indian
system during this period, exposing data such as citizens had their Covid test and other health data
names, social security numbers, bank details, and exposed to a massive data breach. In mid-October,
health plan information. The breach affected both Indian authorities were first alerted by a US security
current and former employees, with 539,207 firm after a threat actor, identified as "pwn0001,"
individuals notified about the incident. claimed to possess the names, addresses, and phone
numbers of hundreds of millions of Indians for sale.

Data Governance
Data Governance
Introduction

Background Requirement
Data governance is the collection of processes, policies, roles, metrics, and Data governance plays an essential role in regulatory compliance, ensuring that
standards that ensures an effective and efficient use of information. This also helps organizations are consistently compliant with all levels of regulatory
establish data management processes that keep your data secured, private, requirements. This is key for minimizing risks and reducing operational costs.
accurate, and usable throughout the data life cycle.
At its core, data governance leads to improved data quality, decreased data
A robust data governance strategy is crucial for any organization that uses data to management costs, and increased access to data for all stakeholders. The result
drive business growth, make improved decision-making, and ensure successful is better decision making and better business outcomes.
outcomes in a competitive market.

Benefits of Data Governance Challenges of Data Governance Foresight

1 2 3
A big part of data governance is building a Though the rewards are great, creating a data The future of Data Governance is one in which
program that breaks down data silos through a governance solution may feel difficult. Some of governance practices, roles, and
collaborative process with stakeholders from those challenges include company wide acceptance, responsibilities are organized around attaining
disconnected business units. It offers many poor data management, standardization and many business objectives. It is a future in which the
benefits including improved data quality, more. We will dive deeper into the details of various aspects of governance (stewardship,
compliance, data management etc. challenges of data governance in the further slides. governance councils, metadata) are mastered
and benefits are determined by business value.

Data Governance
 Data Governance: Strengthening Confidence in Data
Goal of Data Governance
The primary goal of data governance is to build trust in data, emphasizing stakeholders' confidence in how data Discoverability Security
is collected, analysed, published, and used. To ensure this trust, a data governance strategy must focus on
three crucial aspects: discoverability, security, and accountability.
Metadata Data Privacy
Management
Discoverability involves making technical metadata, lineage information, and a
business glossary readily available. Business-critical data must be correct and
Data Quality Data Security
complete. Master data management ensures precise classification, offering protection
Discoverability against inadvertent or malicious changes or leakage. This is explained further in
Session 2. Master data
Management
Depending on the business domain and dataset, regulatory compliance, sensitive data
management (such as personally identifiable information), and prevention of data Classification and access control
security breaches are vital. Security measures are tailored to the specific needs and
Security
risks associated with the data.

Accountability
Once discoverability and security are established, accountability is then crucial,
requiring an operating model that defines ownership and accountability boundaries Data – based
Accountability within data domains. This ensures clear responsibility for data integrity and usage governance
throughout its lifecycle.

Data Governance
Data Governance: Aspects

1 2 3 4 5

Data Architecture &

Data Quality Data Security and Data Access and Data Lifecycle Metadata
Management Privacy Usage Policies Management Management
Ensuring data accuracy, Implementing measures to Defining rules and guidelines for Managing data from creation or Establishing frameworks for
completeness, consistency & protect data from unauthorized accessing, sharing, and using data acquisition through usage, organizing data structures,
timeliness across its lifecycle. This access, breaches, and misuse. within the organization. This storage, and eventual disposal. formats, and relationships.
involves establishing standards, This includes defining access includes roles and responsibilities, This aspect ensures data is Metadata management involves
processes, and tools to monitor controls, encryption policies, and data sharing agreements, and retained only as long as necessary capturing and maintaining
and improve data quality. ensuring compliance with data permissions management. and disposed of securely. metadata to provide context.
privacy regulations.

6 7 8 9 10

Data Governance Data Compliance &

Data Stewardship and Data Risk Framework and Data Culture and Regulatory
Ownership Management Policies Awareness Alignment
Assigning accountability for data Identifying and mitigating risks Developing a formalized Fostering a data-driven culture Ensuring data governance practices
quality, security, and compliance related to data governance like framework, policies, and where stakeholders understand align with legal and regulatory
to designated individuals or data breaches & non-compliance. procedures that define the the importance of data requirements relevant to the
teams. Clarifying data ownership This involves risk assessment, organization's approach to data governance and their roles in organization's industry and
ensures responsibilities are clear monitoring, and implementing governance. This includes upholding data quality, security, geographic locations. This includes
and upheld. controls to mitigate identified governance structures & decision- and compliance. data protection laws & industry
risks. making processes. standards.

Data Governance
Data Governance: Benefits

Data Quality Improvement Increased Trust and Transparency

By establishing data governance practices, organizations
can maintain higher data quality standards. This includes
defining data standards, ensuring accuracy,
01 04 Establishing clear data governance practices fosters trust
among stakeholders. It ensures transparency in how
data is collected, managed, and used within the
completeness, and consistency across various systems organization. This transparency helps build trust among
and departments. Improved data quality leads to better customers, partners, and internal teams, enhancing
decision-making and more reliable analytics. overall credibility.

Regulatory Compliance Efficient Decision-Making

With the increasing number of data privacy regulations
(like GDPR, CCPA, etc.), data governance helps
organizations comply with these regulations. It involves
02 05 Properly governed data provides a reliable foundation
for decision-making processes. Access to accurate and
timely data enables faster and more informed decisions
creating policies and procedures to protect sensitive across all levels of an organization, contributing to
data, ensuring its proper handling, and defining access improved operational efficiency and strategic planning.
controls to meet compliance requirements.

Risk Mitigation Cost Savings

Data governance helps in identifying and mitigating risks
associated with data. By implementing measures to
secure data, control access, and monitor its usage,
03 06 Data governance, while requiring an initial investment,
can lead to cost savings in the long run. It reduces
inefficiencies caused by poor data quality, minimizes the
organizations can reduce the risks of data breaches, risk of non-compliance fines, and prevents costly data-
unauthorized access, and misuse of sensitive related incidents such as breaches or data loss.
information.

Data Governance
Data Governance: Challenges

⮚ Getting buy-in and participation from ⮚ Implementing robust data governance requires
stakeholders across the organization can be dedicated resources, including personnel, tools,
Cultural challenging. Resource and technology.
Resistance Constraints
⮚ Resistance to change or lack of awareness about ⮚ Limited budgets or inadequate resources can
the importance of data governance may hinder hinder the establishment of comprehensive
its successful implementation. governance frameworks.

⮚ Managing data governance becomes more

⮚ Legacy systems or outdated technology
challenging in large organizations with diverse
Technology & infrastructure might not fully support modern
Complexity data sources, formats, and systems.
Infrastructure data governance requirements.
& Scale
⮚ The complexity increases as data volumes grow,
⮚ Integrating new tools or technologies while
making it harder to maintain consistency and
ensuring compatibility can be a challenge.
quality.

⮚ Ensuring data quality and integrity across ⮚ Data stored in isolated silos across departments
different systems and processes is a significant or systems can impede cohesive governance
Data Quality challenge. Data Silos & efforts.
& Integrity Fragmentation
⮚ Inconsistent data quality standards, data ⮚ Integrating and unifying these disparate data
duplication, and errors can undermine the sources is essential for effective governance but
effectiveness of data governance efforts. can be challenging.

Data Governance
Relationship between Data Governance and Risk Management

Data Governance Risk Management

Data governance involves defining decision rights and establishing an Cybersecurity risk management focuses on identifying, assessing, and prioritizing
accountability framework. It sets the rules and guidelines for how data is created, risks associated with the use of information technology systems, networks, and
used, updated, and deleted within an organization. The goal is to encourage data. The objective is to proactively manage cybersecurity threats and
desirable behaviour in managing data across its entire life cycle. vulnerabilities to protect against potential cyber incidents.

Relationship between data governance and risk management

• Ownership and Access Control: Data Governance defines ownership of data • Risk Management: Both Data Governance and Cybersecurity Risk Management
and access controls, specifying who can access and manipulate data. This helps in identify and manage risks associated with data handling. Data Governance identifies
implementing cybersecurity measures like role-based access controls (RBAC) and data-related risks and establishes policies and procedures to mitigate them, while
user authentication protocols to prevent unauthorized access. Cybersecurity Risk Management implements technical controls and monitoring to
• Compliance and Privacy: Data Governance ensures compliance with privacy address security risks.
laws and regulatory requirements, which are critical aspects of cybersecurity. It • Metadata Management: Managing metadata as part of Data Governance
defines security measures such as data encryption, two-factor authentication, and provides context and understanding to data, facilitating effective cybersecurity
intrusion detection systems to protect sensitive data from breaches and measures. Metadata management ensures that security controls and access policies
unauthorized access. are applied appropriately based on the sensitivity and classification of data.
• Data Quality Management: Ensuring high-quality data through Data • Data Governance Implementation: Collaborating with Cybersecurity Risk
Governance practices supports cybersecurity efforts by maintaining accurate and Management, Data Governance ensures that IT practices and infrastructure support
reliable data. This reduces the risk of security incidents caused by errors or business-driven policies and objectives. This alignment strengthens overall
inconsistencies in data. cybersecurity posture by integrating governance principles into technical
implementations and operations.
Relationship between Data Governance and Data Management

Data Governance Data Management

1. Ownership and Access Control: Defines and establishes ownership of data, 1. Data Life Cycle Management: Encompasses the entire life cycle of data, including
determining who can access and manipulate specific data sets within the creation, storage, retrieval, and disposal, as an IT practice to ensure efficient data
organization. Usually, ownership of data should be given to data stewards. For handling.
e.g., in the context of a CRM application, a sales manager might be given 2. Data Access and Storage: Manages where and how data is stored, establishing
ownership of data related to customer interactions and sales figures. practices for efficient retrieval and secure storage of data assets. For example,
2. Compliance and Privacy: Ensures adherence to privacy laws and regulatory the organization may utilize storage architectures like Data Warehouses for
requirements, defining security measures for sensitive data and incorporating handling large amounts of structured data, or Data Lakes for storing vast
data retention and deletion policies. Security measures include Data amounts of raw, unstructured data.
Encryption, Two-Factor Authentication, Firewalls and Intrusion Detection 3. Data Integration: Involves the seamless integration of various data sources,
Systems, etc. ensuring interoperability and cohesion in the overall data landscape.
3. Data Quality Management: Focuses on maintaining high-quality data, 4. Backup and Recovery: Implements strategies and protocols for data backup and
establishing workflows, and people processes to ensure accurate, reliable, and recovery to prevent data loss and ensure business continuity, to align with
consistent data across the organization. several information security standards, such as the ISO 27001 standard. Along
4. Performance Indicators Alignment: Aligns data governance practices with key with this, the company should also set up a disaster recovery plan.
performance indicators (KPIs), enabling effective use of data assets to achieve 5. Metadata Management: Metadata refers to the information that describes other
organizational objectives. information and should be managed to provide context and understanding to
5. Process Standardization: Implements consistent and standardized processes, data, facilitating effective organization and utilization. For example, metadata for
defining roles and responsibilities to gain stakeholder buy-in for effective data a document would include the date the document was created, the date it was
governance policies. last modified, the number of words, and the document's language.
6. Risk Management: Identifies and manages risks associated with data handling, 6. Data Governance Implementation: Collaborates with data governance to
ensuring that data-related risks are mitigated. implement IT practices that align with and support business-driven data
governance policies.

Data Governance
DAMA Data Governance

Introduction Key Components

• DAMA DMBoK v2 serves as a comprehensive framework developed by DAMA International for

effective data management practices.
• It encompasses principles, functions, and disciplines to ensure data is managed throughout its
lifecycle. Data
Governance
Data
Data Quality
DAMA Applicability: Architecture

• DAMA is applicable across industries (finance, healthcare, retail, and other sectors) for
effective data management. Data
Metadata
• It guides organizations in implementing comprehensive data management practices by Modelling &
Management
providing a structured approach to managing data throughout its lifecycle. Design

DAMA Principles:
Data
DAMA
• Alignment with Business Objectives: Integrates data management with organizational goals
Warehousing Data storage
and strategies. Ensures data initiatives support business growth and innovation.
& BI
• Compliance and Risk Management: Ensures compliance with data regulations (e.g., GDPR,
HIPAA). Manages data-related risks and ensures data protection.

Benefits Reference &

Data Security
Master Data
• Enhances data quality by improving data accuracy, completeness, consistency and reliability.
Document &
• Enables informed decision-making by providing reliable and timely data for strategic decision- Data
Content
making. Integration
Management
• Supports Regulatory Compliance by ensuring adherence to data privacy and security
regulations.

Data Governance
Relationship between Data Governance and Data Quality

Data Governance Data Quality Management

Data governance involves defining decision rights and establishing an Data quality management focuses on ensuring the accuracy, completeness,
accountability framework. It sets the rules and guidelines for how data is created, consistency, and reliability of data. It involves processes, roles, standards, and
used, updated, and deleted within an organization. The goal is to encourage metrics to monitor and enhance the quality of data. The objective is to enable the
desirable behaviour in managing data across its entire life cycle. effective and efficient use of data to support an organization in achieving its goals.

Relationship between data governance and data quality management

• Common Objectives: Both data governance and data quality management continuous improvement of data governance practices. As data quality issues
share a common objective of enhancing the value and reliability of are identified and addressed, governance processes are refined to prevent
organizational data. They aim to ensure that data is accurate, trustworthy, similar issues in the future.
and aligned with organizational goals. • Holistic Approach: The collaboration between data governance and data
• Interdependence: Data quality management processes contribute quality management creates a holistic approach to managing data.
significantly to the overall data governance framework. The ISO 8000 Governance sets the rules and guidelines, while data quality management
specified processes, such as Data Quality Strategy Management, provides the tools and processes to enforce those rules and maintain high
Policy/Standards/Procedures Management, Implementation Planning, data quality standards.
Organization Management, and Human Resource Management, are • Feedback Loop: Data quality metrics and performance evaluations established
integral components of effective data governance. in data quality management processes provide a feedback loop to data
• Alignment of Goals and Standards: Data quality processes, roles, and governance. This loop helps governance teams assess the effectiveness of
standards are aligned with the decision rights and accountability their decisions and policies, allowing for adjustments and improvements.
framework established by data governance. This alignment ensures that
data quality efforts are in harmony with the broader governance structure.

Data Governance
 ISO 8000: A New International Standard for Data Quality

A global standard Managing critical data

• ISO 8000 is the global standard for Data Quality and • ISO 8000 is one of the emerging technology standards
Enterprise Master Data. It describes the features and defines that large and complex organizations are turning to in
the requirements for standard exchange of Master Data order to improve business processes and control
among business partners. It establishes the concept of
Global operational costs. The standard is in the process of
Portability as a requirement for Enterprise Master Data, being published as a number of separate documents,
and the concept that true Enterprise Master Data is unique which ISO calls "parts".
to each organization.
• Three organizations have received awards for the
• Master Data is commonly used to manage critical business exemplary implementation and use of the
information about products, services and materials, international standard for data quality – ISO 8000.
constituents, clients and counterparties, and for certain These organizations were Corning Incorporated,
immutable transactional and operational records. Fast
Sodexo Australia and Vestas Wind Systems. The
Application of this standard has already proven it can emerging
adoption of ISO 8000 helped to improve master data
significantly reduce procurement costs, promote inventory quality and data portability, as well as the
rationalization, and deliver greater efficiency and cost implementation of data management tools and
savings in supply chain management. processes.

Data Governance
ISO 8000: Parts
⮚ Data Standards are an essential part of Data Governance as they
provide a uniform and standard framework that can be used across
systems, databases and even organizations to help govern how data is
managed, used, represented, defined, formatted, structured and
transmitted.
⮚ They are crucial for an organization that wants to maintain a high level
of data quality for decision making.

Data Governance
Quiz
1 fdsf
What are common
challenges in implementing
A) Data integration and metadata management C) Data analysis and performance indicators alignment
Data Governance? B) Role definition and organizational resistance D) Data security and compliance audits

2 How does Data

Governance relate to Risk
A) By ensuring data accessibility and encryption C) By implementing data backup and recovery solutions
Management? B) By identifying and mitigating data-related risks D) By conducting data analysis and reporting

3 What is the relationship

between Data Management
A) Data Management ensures data quality, while Data
Governance ensures data security.
C) Data Management encompasses the lifecycle of data,
supported by Data Governance policies.
B) Data Management focuses on data integration, while Data D) Data Management involves data privacy, while Data
and Data Governance?
Governance defines data ownership. Governance handles data compliance.

4 How does ISO 8000 relate A) It defines standards for data quality management. C) It regulates data storage practices.
to Data Governance? B) It specifies guidelines for data encryption. D) It outlines data integration strategies.

5 fdsf
What role does compliance A) It ensures alignment with industry best practices. C) It defines security measures for data protection.
play in Data Governance? B) It focuses on data encryption and access control. D) It ensures adherence to regulatory requirements.

Answers
1. B 2. B 3. C 4. A 5. D

Data Governance
Thankyou!
Dimensions of Risk Management
(Data Privacy and Security)

July 2024
 1. Understanding Data Privacy
2. Understanding Data Security
3. Benefits and Challenges of Data Privacy
Contents
Contents & Security
4. Risk Management vs data privacy vs data
security
5. Understanding India’s DPDP Act
6. Quiz

Page 128 December 27, 202

4 Data Governance
Data Privacy
Introduction

Background Requirement
Data privacy refers to the policies, procedures, and controls put in place to protect Effective data privacy practices are essential to safeguard individuals' rights and
personal information from unauthorized access, use, and disclosure. It ensures that foster trust with stakeholders and customers. Organizations must implement
individuals have control over how their personal data is collected, stored, and robust policies and procedures to ensure compliance with data privacy
shared. regulations such as GDPR (General Data Protection Regulation) and CCPA
Data privacy is fundamental to maintaining trust with stakeholders and customers, (California Consumer Privacy Act).
as it safeguards sensitive information such as personally identifiable information These regulations mandate transparent data handling practices, including
(PII), health records, and financial data. Compliance with data privacy regulations, informed consent for data collection, clear disclosures on data usage, and the
like GDPR and CCPA, is critical to avoid legal ramifications and maintain ethical right to access and rectify personal information. By prioritizing data privacy,
standards in data handling. organizations not only mitigate the risk of legal penalties and regulatory fines
but also enhance customer confidence and loyalty.

Benefits of Data Privacy Challenges of Data Privacy Foresight

1 2 3
By prioritizing data privacy, organizations ensure Implementing effective data privacy measures faces In the future, data privacy will evolve towards
that personal data, such as names, financial challenges such as gaining company-wide aligning practices, roles & responsibilities with
details, etc. is protected from unauthorized acceptance of policies, addressing poor data achieving business goals. The success of data
access, or use. This commitment is crucial for management practices, and navigating diverse privacy initiatives will be measured by their
maintaining trust with stakeholders and regulatory requirements. Standardizing privacy ability to deliver tangible business value,
customers, as it shows respect for individuals' practices and staying abreast of evolving laws and ensuring compliance with regulations while
privacy rights and regulatory compliance. technologies are also critical hurdles. fostering trust with stakeholders and
enhancing organizational reputation.

Data Privacy and Security

Data Privacy: Respecting Privacy, Safeguarding Information

Objective
• Ensure the protection of personal information from unauthorized access, use, or disclosure.
• Uphold individuals' rights to control how their data is collected, processed, and shared.

Compliance with Transparency Data Minimization Security Measures Accountability

Regulations Clear communication Collect and retain only Implement robust Establish
Adherence to data with individuals about necessary data for technical measures mechanisms for
privacy laws such as data practices and specified purposes. to safeguard data. accountability and
GDPR, CCPA, and policies. oversight of data
others. handling
practices.

Crucial Aspects

Data Privacy and Security

Data Security
Introduction

Background Requirement
Data security encompasses the protective measures and strategies employed to Robust data security measures are critical to protect sensitive information from
safeguard data integrity, confidentiality, and availability against unauthorized evolving cyber threats and unauthorized access. Organizations must adopt
access, cyberattacks, and other threats. comprehensive strategies that encompass encryption, access controls, multi-
factor authentication, and intrusion detection systems to safeguard data
Data security is paramount in preventing unauthorized access, data breaches, and integrity, confidentiality, and availability. Compliance with industry-specific
cyber threats that could compromise sensitive information. It involves regulations such as PCI DSS (Payment Card Industry Data Security Standard) and
implementing encryption, access controls, authentication mechanisms, and HIPAA (Health Insurance Portability and Accountability Act) is paramount to
cybersecurity protocols to ensure data remains protected throughout its lifecycle. ensure the secure handling of financial data and protected health information.
By investing in robust data security frameworks, organizations can mitigate the
risk of data breaches, financial losses, and operational disruptions.

Benefits of Data Security Challenges of Data Security Foresight

1 2 3
Key components of data security include Ensuring robust data security encounters challenges The effectiveness of data security measures
encryption, strong access controls, multi-factor like fostering organization-wide commitment to will be gauged by their capacity to mitigate
authentication, regular security audits, and security protocols, mitigating vulnerabilities from evolving cyber threats, ensure regulatory
incident response protocols. By prioritizing data poor security practices, and navigating diverse compliance, and uphold stakeholder trust.
security, organizations can mitigate risks regulatory requirements. Standardizing security Ultimately, the future of data security will
associated with cyberattacks, data theft, and measures and keeping pace with evolving threats prioritize business resilience and continuity in
operational disruptions. and technologies are also critical challenges. an increasingly interconnected and digital
world.

Data Privacy and Security

Data Security: Protecting Data, Securing Trust

Objective
• Protect organizational data assets from unauthorized access, breaches, and cyber threats.
• Ensure the confidentiality, integrity, and availability of data across its lifecycle.

Risk Management Security Controls Compliance Incident Response Awareness and

Identify, assess, and Implement strong Adhere to industry Develop and maintain Training
mitigate risks to data access controls, standards and incident response Educate employees on
security through encryption, and regulations such as PCI plans to swiftly data security best
proactive measures. authentication DSS, HIPAA, and ISO address security practices and their
mechanisms. 27001. breaches. roles in safeguarding
data.

Crucial Aspects

Data Privacy and Security

Data Privacy & Security: Aspects
Data Privacy

1 2 3 4 5

Consent Purpose Limitation Security Transparency Accountability

Obtaining and managing Ensuring that personal data is Implementing appropriate Providing clear and accessible Taking responsibility for
consent from individuals for collected only for specific, technical and organizational information to individuals complying with data
collecting and processing their explicit, and legitimate measures to protect personal about how their data is protection laws and
personal data is crucial to purposes helps prevent data from unauthorized processed helps build trust regulations, including
ensure compliance with misuse and ensures access, alteration, disclosure, and allows individuals to maintaining records of
privacy regulations. transparency. or destruction. make informed decisions. processing activities.

Data Security

1 2 3 4 5

Monitoring and
Confidentiality Integrity Authentication Encryption Auditing
Ensuring that data is Maintaining the accuracy and Verifying the identity of users Protecting data by converting Continuously monitoring data
accessible only to authorized consistency of data and systems accessing data it into a form that cannot be access and usage, and assessing
individuals or systems throughout its lifecycle helps prevent unauthorized easily understood without compliance with security
prevents unauthorized access ensures that data is reliable access and ensures data authorization ensures that policies and regulations, helps
and protects sensitive and trustworthy. confidentiality. even if data is intercepted, it detect and respond to security
information. remains secure. incidents promptly.

Data Privacy and Security

Relationship between Data Privacy and Data Security

The relationship between data privacy and data security is crucial in safeguarding sensitive information and maintaining trust with stakeholders. Here’s
how they are interconnected

1
Protection Goals: Both data privacy and data security aim to protect data, but they focus on different aspects. Data privacy focuses on protecting the
privacy rights of individuals, ensuring that personal data is collected, processed, and used in accordance with legal requirements and individual’s
expectations. Data security, on the other hand, focuses on protecting data from unauthorized access, breaches, and cyber threats, ensuring its
confidentiality, integrity, and availability.

2
Implementation Measures: Data privacy and data security are implemented through complementary measures. Data privacy measures
include obtaining consent for data processing, implementing purpose limitation, and ensuring transparency in data handling practices. Data
security measures include implementing access controls, encryption, authentication mechanisms, and monitoring systems to protect data from
cyberattacks.

3
Compliance and Regulations: Both domains are governed by regulatory requirements and standards. Data privacy regulations
(e.g., GDPR, CCPA) mandate organizations to protect individuals' privacy rights and personal data. Compliance with these
regulations often requires implementing robust data security measures to protect personal data from unauthorized access,
breaches, and other threats.

4
Mutual Reinforcement: Effective data privacy practices contribute to enhancing data security. By implementing data minimization,
encryption, and access controls as part of data privacy measures, organizations can strengthen their overall data security posture. Similarly,
robust data security measures support data privacy by ensuring that personal data is protected against unauthorized access and breaches, thus
maintaining individuals' privacy rights.

5
Trust and Reputation: Together, data privacy and data security help build and maintain trust with stakeholders, including customers, employees, and
partners. Demonstrating a commitment to protecting personal data through comprehensive data privacy and security measures enhances organizational
reputation and fosters trust. Conversely, data breaches or privacy incidents can damage trust and reputation, highlighting the interconnectedness of data
privacy and security in safeguarding organizational credibility.

Data Privacy and Security

Data Privacy & Security: Benefits

Protection of Personal Information Mitigation of Data Breaches

Data privacy measures safeguard individuals' personal
information such as contact details, financial records,
health information, and more. This protection is crucial
01 04 Effective data security measures reduce the risk of data
breaches and cyberattacks. By implementing encryption,
access controls, and regular security audits,
in preventing identity theft, fraud, and unauthorized organizations can minimize the impact of breaches and
access. protect sensitive data from falling into malicious hands.

Trust and Reputation Business Continuity and Risk Management

Organizations that prioritize data privacy and security
build trust with their customers, clients, and
stakeholders. A strong reputation for protecting
02 05 Data privacy practices contribute to overall risk
management strategies. By identifying vulnerabilities
and implementing proactive measures, organizations
sensitive information enhances credibility and fosters can mitigate risks associated with data loss, operational
long-term relationships. disruptions, and reputational damage.

Compliance with Regulations Facilitation of Innovation and Collaboration

Adhering to data privacy regulations and standards (e.g.,
GDPR, CCPA) ensures legal compliance. This not only
mitigates legal risks and potential fines but also
03 06 Secure data environments encourage innovation and
collaboration. When individuals and organizations feel
confident that their data is protected, they are more
demonstrates a commitment to ethical practices. likely to share and analyze information, driving research,
development, and advancements in various fields.

Data Privacy and Security

Data Privacy & Security: Challenges

⮚ Compliance with diverse and evolving data ⮚ There is a delicate balance between ensuring
Complex privacy laws (e.g., GDPR, CCPA) can be complex Balancing data privacy and maximizing the utility of data
Regulatory and resource-intensive. Privacy with for legitimate purposes such as research.
Landscape ⮚ Organizations need to stay updated with Data Utility ⮚ Organizations must navigate this balance
regulatory requirements and adapt their policies carefully while respecting individuals' privacy
and practices accordingly. rights.

⮚ Technology evolves rapidly, presenting both ⮚ Data breaches can have severe financial, legal,
Rapid opportunities and challenges for data security. and reputational consequences.
⮚ New technologies such as IoT (Internet of Data Breach ⮚ The impact of a breach extends beyond
Technological
Things) devices and AI introduce new Impact immediate financial losses to include regulatory
Advancements
vulnerabilities that require careful management fines, litigation costs, loss of customer trust, and
and proactive security measures. damage to brand reputation.

⮚ Implementing and maintaining robust data

⮚ Cyber threats are becoming increasingly
privacy and security measures require
sophisticated, ranging from phishing attacks to
Sophisticated Resource significant resources, including financial
ransomware and insider threats.
Cyber Threats ⮚ Organizations need robust cybersecurity Constraints investment, skilled personnel, and ongoing
training.
strategies to protect against these threats and
⮚ Small and medium-sized enterprises (SMEs) may
respond effectively in case of a breach.
face challenges in this regard.

Data Privacy and Security

Data Privacy vs Data Security vs Risk Management

Data Privacy Data Security

Data privacy focuses on how personal or sensitive information is collected, used, Data security focuses on protecting data from unauthorized access, use,
shared, and managed. It deals with ensuring that individuals have control over disclosure, modification, or destruction. It involves implementing technical and
their personal data and that organizations handle it in a lawful, transparent, and organizational measures to safeguard data integrity, confidentiality, and
ethical manner. Key aspects of data privacy include consent, anonymization, availability. Key aspects of data security include encryption, firewalls and intrusion
access controls, compliance. detection systems, authentication and access control, backup and recovery.

Risk Management
Risk management involves identifying, assessing, and prioritizing risks to an
organization's data assets and implementing strategies to mitigate or manage
those risks effectively. It encompasses both data privacy and data security
considerations, along with broader organizational risks. Key aspects of risk
management include risk assessment, risk mitigation, incident response,
continuous monitoring and improvement.

Relationship and Integration

• Overlap:
Data privacy and data security are closely intertwined; effective security measures are essential for protecting privacy, and privacy principles guide
how security measures should be implemented.
• Complementary:
Risk management integrates data privacy and security into broader organizational risk assessments, ensuring that data-related risks are managed in
alignment with overall business objectives.

Data Privacy and Security

Introduction to India’s Digital Personal Data Protection Act
The Digital Personal Data Protection Bill was introduced in Lok Sabha on August 3 rd, 2023, passed by Lok Sabha on August 7 th, 2023 and finally passed by Rajya Sabha on
August 9th, 2023. The Digital Personal Data Protection Bill then becomes the Digital personal Data Protection Act upon the consent of the president and was published on
August 11th, 2023.
The Act gives equal merit for protection to all digital personal data and does not define any data category as sensitive personal data/critical data.

The Act applies to: KEY DEFINITIONS

Within Indian Territory:
► This bill applies to personal data which is collected in: 1 Data Principal 4 Data processor 7 Board
► Digital form means the individual to whom the means any person who means the Data Protection Board
personal data relates and where such processes personal data on of India established by the Central
► Non-digital form but digitised subsequently
individual is: behalf of a Data Fiduciary Government under section 18
Outside Indian Territory:  a child, includes the parents or lawful
► This bill shall apply to processing of personal data outside Indian guardian of such a child
territory in connection with:
 a person with disability, includes her
► Any activity related to offering of goods or services to data
principals within the territory of India
lawful guardian, acting on her behalf

2 Personal Data 5 Data Protection Officer

means any data about an means an individual appointed by the
individual who is identifiable Significant Data Fiduciary under clause
Doesn’t apply to: by or in relation to such data (a) of sub-section (2) of section 10
► personal data processed by an
individual for any personal or
domestic purpose
► personal data that is made or caused
to be made publicly available by the 3 Data Fiduciary 6 Consent Manager
data principal to whom such means any person who alone or in means a person registered with the
► Person who is under an obligation conjunction with other persons Board, who acts as a single point of
under any law for the time being in determines the purpose and means of contact to enable a Data Principal to
force in India
processing of personal data give, manage, review and withdraw her
consent through an accessible,
transparent and interoperable platform

Data Privacy and Security

Key highlights of the Digital Personal Data Protection Act
Grounds for processing personal
1 data 3 Legitimate uses 5 Duties of Data Principal

► Data Fiduciary may process personal data ► The Act imposes certain duties on data
► This Act mentions the below points as principals such as:
the primary grounds for processing for certain legitimate uses such as:
personal data 1. Data Principal has voluntarily 1. they must not lodge a false or
provided her personal data, has not frivolous complaint, furnish any false
1. Consent particulars or impersonate another
indicated, she does not consent to
2. Legitimate use of data the use of her personal data person in specified cases
2. for the purposes of employment or 2. Violation of duties will be punishable
those related to safeguarding the with a penalty of up to Rs 10,000
employer from loss or liability, such
2 Consent
as prevention of corporate espionage,
maintenance of confidentiality of
► Personal data will be processed only for trade secrets, intellectual property,
lawful purpose upon consent of an classified information or provision of
individual any service or benefit sought by a
Data Principal who is an employee
6 Data transfer outside India
► Notice must be given before seeking
consent ► The Act allows transfer of personal data
► Consent can be withdrawn at any point of outside India, except to countries
time 4 Rights of Data Principal restricted by the central government
► The data principal may give, manage, through notification
review or withdraw consent through a ► The Act grants certain rights to individuals ► The Act also specifies that if there exist
consent manager and shall be accountable including: any other law which provides a higher
to the data principal 1. Right to obtain information degree of protection with respect to
► The consent manager shall be registered transfer of personal data outside India,
2. Right to seek correction and erasure
with the board then such regulations will be considered.
3. Right to grievance redressal
► For individuals under 18 years of age,
consent will be provided by the parent or 4. Right to nominate
the legal guardian

Data Privacy and Security

Key highlights of the Digital Personal Data Protection Act
7 Notice 9 Data Protection Board of India 11 Data transfer outside India
► The notice should contain the details ► The central government will establish the
about the personal data such as: Data Protection Board of India for ► The Act allows transfer of personal data
1. The purpose of the processing functionalities such as: outside India, except to countries
Rights of the Data Principal restricted by the central government
2. 1. Monitoring compliance
through notification
3. The way in which the rights can be 2. Imposing penalties
exercised
► The Act also states that if there exists any
3. directing data fiduciaries in the event other law which provides a higher degree
► The contents of the notice should be in of a data breach of protection in processing of personal
should be in English or any other 4. hearing grievances made by affected data, then such regulations will take
language mentioned in our constitution persons precedence
► Appeals against the decisions of the
Board will lie with TDSAT (Telecom
8 Significant Data Fiduciary
Disputes Settlement and Appellate
► The Central Government may notify Tribunal)
12 Penalties
any data fiduciary as an SDF based on
some factors such as: ► The Act specifies penalties for various
volume and sensitivity of personal offences such as:
1.
data processed 10 Breach
1. up to Rs 200 crore for non-
2. Risk to the rights of the Data fulfilment of obligations for children
Principal ► Data Fiduciaries need to inform the 2. Rs 250 crore for failure to take
3. Potential impact on integrity of affected Data Principals as well as the security measures to prevent data
India Data Protection Board in case of any breaches
data breaches
► Such an SDF shall appoint: ► Penalties will be imposed by the Board
► No specific timeline has been after conducting an inquiry
1. An DPO
mentioned in the Act for breach
2. An independent auditor notification, so “as soon as possible”
3. Undertake compliance measures shall be considered
like Data Protection Assessment

Data Privacy and Security

Quiz
1 fdsf
Which of the following is
NOT a key aspect of data
A. Obtaining consent for data collection. C. Securely storing data backups.
privacy? B. Anonymizing personal data. D. Complying with data protection regulations.

2 Why is foresight important A. To eliminate all potential threats. C. To share data openly with competitors.
in data security? B. To prepare for future cyberattacks and vulnerabilities. D. To increase data storage costs.

3 What does risk management

encompass in relation to data
A. Identifying, assessing, and mitigating risks to data
assets.
C. Encrypting all data.
D. Ignoring data protection regulations.
privacy and data security?
B. Maximizing data collection.

4 What is the concept of a

"data fiduciary" under
A. An individual who provides personal data for processing. C. A government agency responsible for enforcing data protection
regulations.
India's Data Protection Bill B. An organization or entity that determines the purposes and D. A data processor who handles personal data on behalf of a
(DPDP Act)? means of processing personal data. data controller.

5 fdsf
What penalties does India's
DPDP Act impose for non-
A. Warning and corrective action by the Data Protection
Authority (DPA).
C. Monetary fines up to a certain percentage of annual
turnover or a fixed amount.
compliance?
B. Suspension of data processing activities for a specified D. Community service and public disclosure of non-
period. compliance.

Answers
1. C 2. B 3. A 4. B 5. C

Data Privacy and Security

Thankyou!
 NIST 800-171 Assessment

Page 143
Introduction

The National Institute of Standards and Technology (NIST) is a U.S. federal agency responsible for developing and
promoting standards and guidelines to advance technology, measurement, and cybersecurity. ​NIST's work influences a
wide range of industries and plays a key role in enhancing innovation and security in the United States.​
Testing and Certifications
NIST conducts tests and provides certifications for
organisations to ensure they meet established
standards.

Calibration services
Educational outreach
NIST engages in educational activities to
promote science and technology education
4 NIST provides calibration services to ensure
that instruments used are accurate.

3 5
Collaboration with industry and
academia
Research and Innovation Key NIST works closely with industry and
NIST conducts research to drive innovation
and economic growth
2 Functio
n
6 academic institutions to foster innovation
and transfer technology to the
marketplace.

Develop and maintain measurement 1 7 Standards/guidelines for technology and

cybersecurity
standards NIST develops standards, guidelines, and best
NIST develops the national standards for practices to help organizations manage
measurements for accuracy and reliability cybersecurity risks.

Page 144
NIST Frameworks

The National Institute of Standards and Technology (NIST) has developed several frameworks and guidelines to help
organizations manage and reduce cybersecurity risks. Three key documents among these are the NIST Cybersecurity
Framework (CSF), NIST Special Publication 800-53, and NIST Special Publication 800-171.

NIST Special Publication 800-53

1
Rev. 5: Controls for Federal
Information Systems and
Organizations' Security and
Privacy

NIST Cybersecurity Framework: Set

2
of guidelines published by NIST for
mitigating organizational
cybersecurity risks based on existing
standards, guidelines, and practices

3
NIST Special Publication 800-171
Rev. 3: Safeguarding Controlled
Unclassified Information in Non-
federal Systems and
Organizations

Page 145
NIST Frameworks

NIST CSF NIST 800-53 NIST 800-171

• Purpose: Provides a detailed catalogue

• Purpose: Focuses on safeguarding
• Purpose: Offers a strategic approach to of security controls for achieving
sensitive government data on non-federal
cybersecurity risk management compliance with federal cybersecurity
systems
requirements.

• Applicability: Broadly applicable across

• Applicability: Specific to federal • Applicability: Essential for entities
industries to improve cybersecurity
information systems engaging with the federal government
posture.

• Customization: Offers a comprehensive • Customization: Provides a focused set

• Customization: Highly customizable
set of controls that can be tailored of requirements for CUI protection

• Ease of Integration: Designed for ease

• Ease of Integration: Requires a more • Ease of Integration: Focused on
of integration with existing risk
rigorous assessment for integration integrating specific protections for CUI
management processes

• Business Operations: Aims to • Business Operations: May necessitate • Business Operations: Directly impacts
strengthen cybersecurity without significant changes to IT infrastructure how organizations handle government
disrupting business operations and processes data

Page 146
 2
NIST
800-171

Page 147
NIST 800-171

NIST 800-171 aims to protect Controlled Unclassified Information (CUI) in non-federal systems, essential for
organizations working with the U.S. government. The standard emphasizes the confidentiality and security of sensitive
data when handled by contractors or subcontractors outside federal systems.
The purpose of the NIST SP 800-171 publication is to:
 Provide a framework for ensuring the confidentiality, integrity, and availability of Controlled Unclassified
Information in non-federal systems and organizations, helping them meet security requirements and protect
sensitive data when doing business with the U.S. government or handling government-related information.
 There are 17 Control Families, which further constitute a total of 97 controls.

Key Highlights of NIST SP 800-171

NIST SP 800-171 is applicable to non-federal organizations that handle Controlled Unclassified

Applicability Information (CUI) and are required to meet security standards when interacting with the federal
government.

NIST SP 800-171 controls address key aspects of information security, including access control,
Security Controls
incident response, and system protection, enabling organizations to safeguard CUI effectively.

NIST SP 800-171 emphasizes security controls, offering limited guidance on privacy, so organizations
Privacy Controls often need to integrate additional privacy measures to address specific data protection and compliance
requirements.

Page 148
NIST 800-171 Control Families

Restricts access to information and systems to authorized users.

1 Access Control Total Controls: 16
Risk: Unauthorized access can lead to data breaches and loss of sensitive information.

Ensures personnel are trained on security risks and practices.

2 Awareness and Training Total Controls: 2
Risk: Inadequate training can lead to human error and increased vulnerability.

Monitors and records system activities to ensure accountability.

3 Audit and Accountability Total Controls: 8
Risk: Lack of audits can result in undetected security incidents and accountability issues.

Manages changes to information systems to maintain security.

4 Configuration Management Total Controls: 10
Risk: Poor configuration can create vulnerabilities, leading to exploitation.

Verifies the identity of users and devices accessing systems.

Identification
5 Total Controls: 8
and Authentication
Risk: Weak identification can lead to unauthorized access and data compromise.

Prepares for and manages security incidents effectively.

6 Incident Response Total Controls: 5
Risk: Inadequate response can worsen the impact of security breaches.

Page 149
NIST 800-171 Control Families

Controls maintenance activities for information systems.

7 Maintenance Total Controls: 3
Risk: Neglected maintenance can lead to vulnerabilities and operational failures.

Protects information stored on physical media.

8 Media Protection Total Controls: 7
Risk: Improper handling of media can result in unauthorized data exposure or loss.

Ensures personnel are trustworthy and properly vetted.

9 Personnel Security Total Controls: 2
Risk: Inadequate vetting can lead to insider threats and breaches

Safeguards physical access to systems and facilities.

10 Physical Protection Total Controls: 5
Risk: Physical breaches can lead to data theft or tampering.

Identifies and evaluates risks to operations and assets.

11 Risk Assessment Total Controls: 5
Risk: Failure to assess risks can lead to unaddressed vulnerabilities.

Evaluates the effectiveness of security controls and compliance.

12 Security Assessment Total Controls: 4
Risk: Lack of assessments can result in undetected vulnerabilities and compliance failures.

Page 150
NIST 800-171 Control Families

Systems and Safeguards communication channels and system integrity.

13 Communications Total Controls: 10
Protection Risk: Unsecured systems can lead to data interception and unauthorized access.

Monitors systems for integrity violations and vulnerabilities.

System and Total Controls: 5
14
Information Integrity Risk: Without integrity checks, systems may be compromised by malware or unauthorized
changes.

Develops security plans addressing risks and requirements.

15 Planning Total Controls: 3
Risk: Lack of planning can result in uncoordinated security measures and vulnerabilities.

Ensures that security requirements are integrated into system acquisition.

System and
16 Total Controls: 3
Services Acquisition
Risk: Failure to integrate security can lead to acquiring vulnerable systems.

Identifies and mitigates risks associated with the supply chain.

Supply Chain
17 Total Controls: 3
Risk Management
Risk: Unmanaged supply chain risks can lead to compromised components and data.

Page 151