Upload
hoangtram
View
213
Download
1
Embed Size (px)
Citation preview
03/06/2015
1
Presented by
Anne Lalonde Consulting
� Introduction
� Learning Outcomes
� Definitions
� About Justice Canada’s Risk Profile of Information Resources Guideline
� Risk Statements & Examples
� Examples from other GoC Departments and Agencies
� Workshop Activities 1, 2, 3 (in groups)
� Monitor and Manage Risks
� Wrap-up and Evaluation
� At the end of this workshop, you will be able to identify risks to information resources, elaborate mitigation strategies, and monitor and manage these risks.
KNOW YOUR RISKS!KNOW YOUR RISKS!KNOW YOUR RISKS!KNOW YOUR RISKS!
Risk Profile of
Information
Resources
A document that presents all the legal, regulatory, access to information, security of
information, and protection of personal information risks, response protocols and
mitigations strategies as they relate to an organization’s information resources.
Versus
Corporate
Risk Profile
A Corporate Risk Profile enables an organization to obtain an overview of its key risks including
an understanding of the organization's operational context and objectives with respect
to managing risk.
� Initiated in 2011-12-02 by A. Jolicoeur and revised by numerous stakeholders, e.g. LAC
� Approach: Review Key Documents & Conduct Interviews w/ Program Managers◦ MAF results AoM 12 (IM) and AoM 8 (Security)◦ Corporate Risk Profile, Security Plan, Audits, Report on
Plans and Priorities◦ IM Plans and RKAT◦ Review Additional Resources� Report from ATIP Tracking System
� Business Continuity Plan
� Interviews w/ Program Managers to confirm results and elicite other risks
03/06/2015
2
� Review MAF AoM 12 and AoM 8
� Review IM Evaluation and Performance Management Results
� Review Existing Risk Assessment Tools
� Evaluate Overall IM Environment
� Define Areas of IM Risks
� Risk Mitigation Assessment
� Apply Risk Level
� Complete Risk Profile Summary Report and Next Steps
What is a Risk Statement? What is a Risk Statement? What is a Risk Statement? What is a Risk Statement?
It is the expression of the likelihood and impactof an event with the potential to affect theachievement of an organization’s objectives.(Source: TBS Guide to Risk Statements)
RiskRiskRiskRisk statementstatementstatementstatement (threat)(threat)(threat)(threat):::: IfIfIfIf (event)(event)(event)(event) occurs,occurs,occurs,occurs, thethethetheconsequencesconsequencesconsequencesconsequences couldcouldcouldcould resultresultresultresult inininin (negative(negative(negative(negative impact)impact)impact)impact)....
RiskRiskRiskRisk statementstatementstatementstatement (opportunity)(opportunity)(opportunity)(opportunity):::: IfIfIfIf (event)(event)(event)(event) occurs,occurs,occurs,occurs, thethethetheconsequencesconsequencesconsequencesconsequences couldcouldcouldcould resultresultresultresult inininin (positive(positive(positive(positive impact)impact)impact)impact)....
Significant delays in retrieving records due to current tools for data storage and retrieval practices may leave the department unable to adequately respond to Access to Information requests and e–discovery exercises.
Improving records management processes and tools through investing in new technologies and liaising with organizations identified as having best practices may lead to more effective management and response to official requests.
The security of departmental networks and records could be seriously compromised if new standards are not implemented.
1 2 3
03/06/2015
3
� Using documents provided, identify 3 risks and debate these risks within your group.
� Using the “Risk and Mitigation WorksheetRisk and Mitigation WorksheetRisk and Mitigation WorksheetRisk and Mitigation Worksheet”, elaborate risk statements, risk drivers, potential consequences and mitigation strategies.
A.A.A.A. Risk Description (review documents and identify risks)Risk Description (review documents and identify risks)Risk Description (review documents and identify risks)Risk Description (review documents and identify risks)
B.B.B.B. Risk Drivers (describe the influencers of the risk)Risk Drivers (describe the influencers of the risk)Risk Drivers (describe the influencers of the risk)Risk Drivers (describe the influencers of the risk)
C.C.C.C. Potential Consequences (describe consequences if the risk Potential Consequences (describe consequences if the risk Potential Consequences (describe consequences if the risk Potential Consequences (describe consequences if the risk
is not addressed)is not addressed)is not addressed)is not addressed)
D.D.D.D. Current Mitigation Strategies (describe strategies to Current Mitigation Strategies (describe strategies to Current Mitigation Strategies (describe strategies to Current Mitigation Strategies (describe strategies to
minimize the risk)minimize the risk)minimize the risk)minimize the risk)
Risk and Mit igation Risk and Mit igation Risk and Mit igation Risk and Mit igation WorksheetWorksheetWorksheetWorksheet
� Using the “Risk Assessment GridRisk Assessment GridRisk Assessment GridRisk Assessment Grid” provided, calculate “Impact”, “Likelihood” and “Residual Risk”.
� Categorize each risk according to “Risk AreasRisk AreasRisk AreasRisk Areas” provided and prioritize risks.
6Medium
Management attention and regular rigorous monitoring required
8 High
Must manage and monitor risk rigorously
9 High
Extensive and immediate management attention
required 3
LowMay accept risk with
monitoring and annual review
5Medium
Management effort worthwhile
7High
Management effort required
1Low
Accept risk
2Low
Accept risk but monitor
4Medium
Manage and monitor risk
Major
Minor
Moderate
ModerateUnlikely Likely
Impa ct
Likelihood
Integrated Risk Management
Risk Assessment Grid
Imp
act
Risk AssessmentRisk AssessmentRisk AssessmentRisk Assessment
Legislation & Legislation & Legislation & Legislation &
RegulationsRegulationsRegulationsRegulations
Access to Access to Access to Access to
InformationInformationInformationInformation
Security of Security of Security of Security of
InformationInformationInformationInformation
Protection of Protection of Protection of Protection of
Personal Personal Personal Personal
InformationInformationInformationInformation
• Control tools• Access Rights• Security Designation• Transport/Transmittal• Cyber Threats
• PIA’s• Control tools• Security Designation• Handling• Transport/Transmittal
• Search/Retrieval• ATIP Requests• Transitory Collections• Retention Schedules• Disposition Authorities
• Reporting• Performance Metrics• Non compliance
Risks AreasRisks AreasRisks AreasRisks Areas
03/06/2015
4
� Write a generic questionnaire with open-ended questions for face-to-face interviews with Program Managers with the purpose of validating existing and eliciting new risks to information resources.
� Conduct an interview with a member of your team to test the questionnaire and make any necessary adjustments.
Examples:
� Are the proper controls in place to protect personal information?
� Are there issues with searching and finding information in response to ATIP requests?
� Are there any risks in completing planned activities as part of the IM & Recordkeeping Plan?
� What are the issues you face with managing information resources?
� Set-up a review schedule
� Ensure mitigation strategies have been included in the IM and Recordkeeping Plan, Security Plan, Corporate Risk Profile, Plans and Priorities
� Ensure awareness provisions are set in the IM and Recordkeeping and the Departmental Security Plans
� Present and share this report with Strategic Planning, Audit and Ethics, Security divisions and businessunits who have a stake in the report
� Note: See Justice’s Monitoring Report