Scribd Logo
Upload

Welcome to Scribd!

  • Workshop On NEPRA Regulation - Session 3 - Conducting Risk and Vulnerability Assessment

    Uploaded by

    marshpk
    6 views16 pages
    This document discusses information security risk and vulnerability assessments. It provides an overview of the risk assessment process, including identification of assets and sensitive data, assessment of threats and vulnerabilities, and defining mitigation approaches. It also outlines requirements for risk/vulnerability assessments according to NEPRA regulations, such as conducting annual assessments, reviewing findings with the Board of Directors, and assessing risks associated with service providers. The presentation encourages attendees to contact the company for information security risk and vulnerability assessments to ensure compliance.

    Original Description:

    Original Title

    Workshop on NEPRA Regulation - Session 3 - Conducting Risk and Vulnerability Assessment

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses information security risk and vulnerability assessments. It provides an overview of the risk assessment process, including identification of assets and sensitive data, assessment of threats and vulnerabilities, and defining mitigation approaches. It also outlines requirements for risk/vulnerability assessments according to NEPRA regulations, such as conducting annual assessments, reviewing findings with the Board of Directors, and assessing risks associated with service providers. The presentation encourages attendees to contact the company for information security risk and vulnerability assessments to ensure compliance.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views16 pages

    Workshop On NEPRA Regulation - Session 3 - Conducting Risk and Vulnerability Assessment

    Uploaded by

    marshpk
    This document discusses information security risk and vulnerability assessments. It provides an overview of the risk assessment process, including identification of assets and sensitive data, assessment of threats and vulnerabilities, and defining mitigation approaches. It also outlines requirements for risk/vulnerability assessments according to NEPRA regulations, such as conducting annual assessments, reviewing findings with the Board of Directors, and assessing risks associated with service providers. The presentation encourages attendees to contact the company for information security risk and vulnerability assessments to ensure compliance.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    WWW.SPSET.

    COM
    NEPRA SECURITY REGULATIONS
    FOR INFORMATION TECHNOLOGY
    & OPERATIONAL TECHNOLOGY

    WORKSHOP BY SOFTWARE PRODUCTIVITY


    STRATEGISTS INC.
    SESSION - 3

    WWW.SPSET.COM
    INFORMATION SECURITY
    RISK AND VULNERABILITY ASSESSMENTS

    IMRAN UR RAHMAN
    SR CONSULTANT CYBER SECURITY
    CISA, CISM
    AGENDA

    WWW.SPSNET.COM
    • Objective
    • Risk and Vulnerability Assessments
    • Categories
    • Types with examples
    • Information Security Regulation by NEPRA
    OBJECTIVE

    WWW.SPSNET.COM
    1. Understanding Risk and Vulnerability and their Assessments
    2. Requirements as per NEPRA IT Security Regulations
    INFORMATION SECURITY-
    RISK AND VULNERABILITY ASSESSMENTS

    WWW.SPSNET.COM
    • Information security risk assessment identifies, assesses, and implements key
    security controls in applications.

    • Focuses on : Preventing application security defects and vulnerabilities.

    • Risk assessment allows to view the application portfolio holistically—from an


    attacker’s perspective
    STEPS OF INFORMATION SECURITY RISK ASSESSMENTS

    WWW.SPSNET.COM
    Identification.
    • Determine all critical assets;
    • Diagnose sensitive data ( created, stored, or transmitted by these assets)
    • Create a risk profile for each.

    Assessment.
    • Carefully assess the identified security risks
    • Effectively and efficiently allocate time and resources towards risk mitigation. For\
    • Analyze the correlation between assets, threats, vulnerabilities, and mitigating
    controls for assessment.
    STEPS OF INFORMATION SECURITY RISK ASSESSMENTS

    WWW.SPSNET.COM
    Mitigation
    Define a mitigation approach and enforce security controls for each risk.

    Prevention
    Implement tools and processes to minimize threats and vulnerabilities
    from occurring in your firm’s resources
    WWW.SPSNET.COM
    NEPRA INFORMATION SECURITY
    REGULATIONS
    INFORMATION SECURITY RA / VA
    REQUIREMENTS BY NEPRA REGULATIONS

    WWW.SPSNET.COM
    (1) The licensee shall conduct and document a formal Security Risk /
    Vulnerability Assessment for Information Security Assets (IT and OT) with a
    view of identifying, estimating and prioritizing risks to which its operations are
    exposed due to information security vulnerabilities. The control testing shall be
    based on the controls mentioned in the relevant international standards. The
    Board of Directors or a Committee of the Board authorized by the Board of
    Directors shall review the risk / vulnerability assessment document and take
    steps to mitigate any risks and vulnerabilities identified
    INFORMATION SECURITY RA / VA
    REQUIREMENTS BY NEPRA REGULATIONS
    (CONTINUED)

    WWW.SPSNET.COM
    (a) a current and detailed description of licensee's business and technological
    environment and existing security measures in place including identification of
    location, systems and methods for maintaining information;
    (b) an identification of information and the information systems to be protected
    specifically;
    (c) classification and ranking (high, medium, low) of the sensitive systems,
    applications in order of their importance and based on the assessment of threats
    and vulnerabilities or risk assessment;
    INFORMATION SECURITY RA / VA
    REQUIREMENTS BY NEPRA REGULATIONS
    (CONTINUED)

    WWW.SPSNET.COM
    (d) assessment of potential threats and vulnerabilities to security and integrity of
    data, information systems and applications;
    (e) an evaluation of existing Security Controls' effectiveness against each threat and
    vulnerability;

    (f) the security and contractual responsibilities of Service Providers (SPs), including
    customers who have access to the licensee's systems and data;
    INFORMATION SECURITY RA / VA
    REQUIREMENTS BY NEPRA REGULATIONS
    (CONTINUED)

    WWW.SPSNET.COM
    (g) compliance, concentration, operational, country and legal risks shall be assessed
    by the licensees before entering into the contract, while managing information
    security outsourcing arrangements with the SPs;
    (h) the Security Risk / Vulnerability Assessment shall be carried out at least once a
    year; however, in case of a major security breach, significant changes to the
    infrastructure and introduction of a new product or service, an immediate review
    of risk assessment shall be carried out. Further, in case of a major security breach,
    risk assessment review shall include a detailed analysis of the factors that cause
    such security breaches.
    FEEDBACK AND QUESTIONS

    WWW.SPSNET.COM
    • Q&A
    • Comments
    • Discussions
    • Feedback
    SPS OFFERS

    WWW.SPSNET.COM
    • Information Security Risk and Vulnerability Assessments
    • Compliance Assessments as per NEPRA Regulations and
    other International Standards like NIST etc.
    CONTACT US

    WWW.SPSNET.COM
    • Imran ur Rahman
    Imran.Rahman@spsnet.com
    +92300442997
    • Arshad Majeed
    arshad.Majeed@spsnet.com
    +923465053043
    WWW.SPSNET.COM
    THANK YOU

    You might also like