Mg.

Elmer Quiroz
Cybersecurity expert
Expert in cybersecurity audit, information security, business continuity
and personal data protection for the financial sector, education and
information technologies.
Official instructor in ZERO SECURITY, for LCSPC and ISO 27001
certification
University Professor and IT Auditor.
Internationally certified in ISO 27001, ISO 31000, ISO 22301, ISO 20000
and LCSPC standards.
 ethodologies
M
 Methodologies for Risk Management
COSO model COBIT©
31000
Risk-Management 1. Satisfy the
Needs of the
Parties ,
Interested
Parties ,

3. Apply a
Single
Integrated
Reference
Framework

Regulations of the
SUPERINTENDENCE
BANKING, INSURANCE AND AFP
Concepts of Risk
Management
Management Guidelines
ISO 31000 Risk
V The ISO generic risk management
framework
V Provides generic principles and
guidelines on risk management
V It can be applied to any type of
risk, whatever its nature or
consequences.
V Not intended for the certification of
an organization.
 Terms and definitions
V Risk: Effect of uncertainty on objectives
V Risk management: Coordinated activities to direct and control
the organization in relation to risk.
V Interested party: Person or organization that may affect, be
affected, or be perceived to be affected by a decision or activity
V Source of risk: Element that, alone or in combination with others,
has the potential to generate risk.
V Event: Occurrence or change of a set
particular circumstances
V Consequence: Result of an event that affects the objectives
• Probability: Chance of something happening
TO that us we face?
General Risk Context Management

—44üv- $2
Earthquake / Earthquake

Systems Unavailability Cyberattacks

of information
 ISO
31000:2018
ISO 31000:2018 – Risk Management
-Ration/
8’%
<*
ISO 31000 is the international standard that makes up a
family of standards on Risk Management in standards codified (ISO
31000
by the International organizationOrganization for Risk-Management
Standardization (ISO). The purpose of ISO 31000:2018 is to
provide principles and guidelines for risk management and
the process implemented at the strategic and operational
level.

ISO 31000:2018 – Risk

Management
V It is iterative and assists organizations in
 establishing their strategy, achieving their objectives and making
informed decisions.
V It is part of governance and leadership and is fundamental to the
way the organization is managed at all levels. This contributes to
the improvement of management systems.
V It is part of all activities associated with the organization and
includes interaction with interested parties.
V Considers the external and internal contexts of the organization,
including human behavior and cultural factors.
V Based on the principles, framework and process described in this
document.
Principles, framework and process
 Continuo
Integrated
us
improve

Humannsy Structured
cultural
factors Creac exhnustha
value
protection
information
available

Dynamira Evensha

Integration
Principles [chapter 4)

better Dliseñn

Leadership
and
commitment

Valracin Implementation

Reference manual (chapter 5) Process [echapter 6)

Beginnin
g
The purpose of risk management is the creation and protection of value. Improves performance, encourages
innovation and contributes to the achievement of objectives.
Beginnin
g
a) Integrated
Risk management is an integral part of all the organization's activities.
b) Structured and exhaustive
A structured and comprehensive approach to risk management contributes to consistent
and comparable results.
c) Adapted
The risk management framework and process are adapted and proportional to the external
and internal contexts of the organization related to its objectives.
d) Inclusive
Appropriate and timely involvement of stakeholders allows their knowledge, views and
perceptions to be considered. This results in increased awareness and informed risk
management.
e) Dynamic
Risks can appear, change or disappear with changes in the external and internal contexts of
the organization. Risk management anticipates, detects, recognizes and responds to those
changes and events in an appropriate and timely manner.
 Beginnin
g
f) Best information available
Inputs to risk management are based on historical and current information as well as future
expectations. Risk management explicitly takes into account any limitations and
uncertainties associated with such information and expectations. Information should be
timely, clear and available to relevant stakeholders.
g) Human and cultural factors
Human behavior and culture significantly influence all aspects of life.
risk management at all levels and stages.
h) Continuous improvement
Risk management continually improves through learning and experience.
Generalities
• The development of the reference framework involves integrating,
designing,
organization implement, assess and improve risk management
throughout the entire Integratio
n

Impro Design
vemen
Leadership
and
commitment

Assessm
ent
Process
• The process of the management of risk involves the
systematic application of policies,
procedures and practices to
and risk report. communication activities and
consultation,
establishing the context and evaluation, treatment, monitoring, review, recording
Scope definition
Scope, context
____criteria________
Risk assessment

Risk
identification
Risk
The organization should define the scope of its risk management activities.
analysis
Risk
As the risk management process can be applied at different levels (for example: strategic,
Assessmen
t
operational, program, project or other activities),
Risk treatment
it is important to be clear about the
scope considered, the relevant objectives to be considered and their alignment with the
REGISTRATION AND
REPORT
objectives. of the organization.
External and internal contexts
The external and internal contexts are the environment in which the organization seeks to
define and achieve its objectives.
The context of the risk management process should be established from an understanding
of the external and internal environments in which the organization operates and should
reflect the specific environment of the activity in which the management process is to be
applied. of the risk.
Organization context
Definition of risk criteria
V The organization should specify the amount and type of risk that it can or cannot take,
in relation to the objectives.
V It should define the criteria to assess the importance of the risk and to support the
decision-making processes.
V Risk criteria should be aligned with the risk management framework and tailored to the
specific purpose and scope of the activity considered.
Risk assessment
Risk assessment is the overall process of risk identification, risk analysis and risk
assessment.
Risk assessment should be carried out in a systematic, iterative and collaborative manner,
based on the knowledge and views of stakeholders. The best available information should
be used, supplemented by additional research if necessary.
 Risk treatment
The purpose of risk treatment is to select and implement options to address risk.
Risk treatment involves an iterative process of:
V Formulate and select options for risk treatment;
V Plan and implement risk treatment;
V Evaluate the effectiveness of that treatment;
V Decide if the residual risk is acceptable;
• If not acceptable, perform additional treatment.
 Risk Management Techniques
V Avoid. Risk is avoided when the organization refuses to accept it, that is, no type of exposure is
allowed.
V Reduce. When the risk cannot be avoided due to several operational difficulties, the alternative
may be to reduce it to the lowest possible level.
V Transfer. It is looking for support and sharing the risk with other controls or entities.
V Retain, Assume or Accept the risk. It is one of the most common methods of risk management,
it is the decision to accept the consequences of the occurrence of the event. It can be voluntary
or involuntary.
Risk Map or Map of
 Risk Map or Heat Map

Methodology by which the DEFINITION DEFINITION

process is reviewed to identify AREAS OF GUYS
risk factors, frequency, BUSINESS RISKY

impact of
the events, controls,
effectiveness of controls, risk PREPARATION
IDENTIFY
residual, make IMPROVEMENT OF
maps of risks and adopt OPPORTUNITIES QUESTIONNAIRE
S EVALUATION
corrective measures.
QUALITATIVE INTERVIEWS
EVALUATION RESPONSIBLE
OF RISKS AREAS
AND
CONTROLS
 Evaluation techniques:
Qualitative
Probability of occurrence

Impact
Evaluation techniques:
Quantitative Risk

Probability
(Frequency)

5 -Almost Safe

4 - Probable

EXTREME

Probability 3 -
Possible
HIGH

2 - Unlikely

HALF

1 - Rare

LOW

1- 2 - Minor 3 - Moderate 4 - Major 5-

Insignificant Catastrophic

Impact
Concepts and
protection
relationship
according to ISO
 Protection concepts and relationships

Source: ISO/IEC 27032:2012

 Management
Risk
 Information Technology Risk
Management
The criteria are based on the 10 perspectives of information technology risks:
1. Infrastructure
2. Data
3. Operations
4. HR
5. Physical Environment
6. Security and Privacy
7. Change Management
8. Third Party Service
9. Regulatory framework
10. Applications and Databases
Information Technology Risk
Management
No. PERSPECTIVE RISK

I identify Damage to the servers, Inadequate cabling, Obsolete technology, Inappropriate environmental conditions, Improper
1 Infrastructure
access to the servers.

Revelation of sensitive data, I observe that I have access to reports or information that is not in accordance with my
2 Data
responsibility, I identify that some reports do not include reliable information, Inadequate treatment of confidential data.

Failure to comply with guidelines, procedures and methodologies in the Department's operational processes. IT, failures in
3 Operations operational processes, Inadequate inventory control of IT assets, Non-sending or incorrect sending of regulatory compliance
files due to system failures.

Weaknesses in the performance and/or regularity of IT personnel, poor training, Loss of key IT personnel, High turnover of IT
4 HR
personnel who have access to sensitive data.

5 Physical Environment Failures in public services, natural disasters, El Niño Phenomenon.

6 Security and Privacy Events that threaten the confidentiality, integrity and availability of information, information leak due to unprotected
information, devices without controls, Poor patch management.

Budget surpluses, low quality of deliverables, ineffective change control, Policies and procedures not defined, Applications
7 Change Management
with expired support.

8 Third Party Service Low level of service, inadequate support, Weaknesses in contracts, Poor management reports.

9 Regulatory framework Non-compliance with regulations, non-compliance with software license contracts.

10 Applications and Databases Unsupported applications, critical system failures, weaknesses in Database configurations.