MinimaRisk

Black Swan and likelihood of disasters

admin — Mon, 11 Jan 2010 07:36:12 +0000

Geneva, 11.1.2010. During our consulting activities at MinimaRisk we have frequently being asked if it is possible to calculate accurately the likelihood of disasters, therefore to develop a proactive early warning signal that would at some degree forecast an imminent catastrophic event. Unfortunately the reality proves us that forecasting accurately a disaster can’t exist. For example let assign a probability of “p< 1.0″ to a particular event occuring in the next 12 months. If it happens, we might be prone to say “p” should have been 1.0 (we had forecasted < 1.0). If the disaster doesn’t happen we might say “p” should have been 0.0. However it is impossible to have such a foresight, thereforewe look to ways to deal with uncertainty. Probability theory provide mathematically tractable ways of treating uncertainty as long as we can assign probabilities to possible and concrete events. Probability is fine if you work with tossing coins or rolling roulette wheels. It become completely herratic if you try to forecast unique unpredictable events such a natural disasters.

Deming and Information Security Risk Management Process

admin — Fri, 08 Jan 2010 06:16:19 +0000

Lausanne, 8.1.2010. It is undisputed that the effectiveness of a risk treatment depends on how the specific risk assessment has been conducted. Being the goal of the risk treatment to have the lowest possible value on the residual risk, it is extremely important to be able to implement a fully functional “Information Security Risk Management Process” (ISRM). The easiest way is to organize it, according the well-known Deming wheel (btw a fundament of ISO 9001). An ISRM process according the four phases plan-do-check-act would be organized as follow:

PLAN: Establishing the context, Risk Assessment, Developing a risk treatment plan, risk acceptance.
DO: Implementation of Risk Treatment plan.
CHECK: Continual Monitoring and review of Risks.
ACT: Maintain and Improve the Information Security Risk Management Process

It is only by organizing efficiently your Risk Management process that a company will be able to turn proactively risks into opportunities. MinimaRisk helps you to effectively introduce such Risk Management processes diminishing your exposure the Operational Risks, and levaraging the downside of a risk.

Today Compliance Jungle

admin — Thu, 07 Jan 2010 06:07:02 +0000

Zurich, 7.1.2010. It is becoming increasingly difficult to find a whay out of the modern compliance jungle. Since the recent economic collapse, we are facing a revival of compliance, in a much more pervasive level to what we were used with precendent crisis such as Enron, Worldcom or the most recent italian Parmalat affair. By asking business professionals, it is obvious that today compliance market is extremely diverse and populated with all kinds of compliance guidelines. Therefore is not easy to sail in such a sea. The most widespread risk is also to implement a compliance programme which is no longer the best practice in the specific field. At MinimaRisk we work very tight in following the compliance market. Our aim is to focus to a smaller and harmonized set of controls, giving companies and CIO a single point of control over hundreds of complex compliance requirements from around Europe and the world. Do not hesitate to contact us if you would like to attain your compliance in a straightforward manner.

The importance of standards in tenders

admin — Wed, 06 Jan 2010 09:00:39 +0000

Paris, 6.1.2010. In today economy it increasingly important to stress the importance of a thorough tender evaluation very succinctly. It is a fact that it is a false economy to accept underpriced or under resourced bid. A solution to that is to leverage the importance of standards as a best practice of the firm bidding for the specific tender. This is why at MinimaRisk we advise companies in the practical implementation of Governance, Risk Management and Compliance best practices even within their bids. There is nothing better than to prove to the prospective customer that you have the full padronance of standards such as ITIL V3, ISO 20000 Service Management or even ISO 27005 (formerly ISO 13335:2). MinimaRisk advises you on the different standards available today in the market, and specifically which standards can leverage your position in an ever competitive market.

An information risk on the example of Jasper Schuringa and Wikipedia

admin — Mon, 28 Dec 2009 13:27:10 +0000

Zurich, 28.12.2009. This Christmas highlighted the brave intervention of passenger Jasper Schuringa while flying on flight Northwest Airlines 253. Schuringas intervention, among many others passengers, helped to stop a likely terrorist attack on this flight. A crystal clear act that helped to save the life of many other passengers. Nevertheless Schuringas act also highlights an obvious information risk and threat related to Wikipedia, that is the inconsistency of the information reported on Wikipedia. If we take the English article of Wikipedia about Schuringa we learn that:

“….Jasper Schuringa, a resident of Amsterdam and passenger on the flight, was widely credited for intervening and physically restraining the suspect. Using a headgrip,[69] he prevented the suspect from further manipulating his explosive device and dragged him to the forward part of the cabin, where the suspect was handcuffed. Schuriga incurred burns in the process. He was later interviewed by a number of news sources.[70][71] Born in 1971, Schuringa is a Dutch film director of low-budget Dutch films, and is credited as the assistant director for National Lampoon’s Teed Off Two.[72] Vice Prime Minister Wouter Bos called Schuringa on behalf of the Dutch government, conveying compliments and gratitude for his part in overpowering the suspect.[73][74] Dutch Member of Parliament Geert Wilders called Schuringa “a national hero” for his actions, and said that “he deserves a royal honor”, which Wilders said he would ask the Dutch government to award.[75][76]…”

We have at least 7 references on the bio of Schuringa, however none of the references contained in Wikipedia do exactly state the birth and activity of Schuringa.
If we take the same Wikipedia, but the Dutch version we learn that Jasper Schuringa:

“….Jasper Schuringa, 1977, Curaçao, eigenaar van een videoproductiebedrijf in Amsterdam, was op 25 december 2009 passagier op vlucht 253 van Northwest Airlines van Amsterdam naar Detroit. Enkele minuten voor de landing poogde een medepassagier, de 23 jaar oude Umar Farouk Abdulmutallab, met het chemische middel pentriet een explosie te veroorzaken. De brand die daarbij ontstond werd opgemerkt door andere passagiers, waaronder Schuringa. Schuringa verklaarde onmiddellijk te hebben gereageerd en samen met de bemanning het beginnende vuur te hebben gedoofd, en vervolgens met de bemanning de passagier in bedwang te hebben gehouden. Umar Farouk Abdulmutallab werd, met tweedegraads brandwonden, in hechtenis genomen. Schuringa hield lichte brandwonden aan een hand aan het incident over…”

[translated to English with Google] Jasper Schuringa, 1977, Curaçao, owns a video production company in Amsterdam, was on December 25, 2009 passenger on Northwest Airlines flight 253 from Amsterdam to Detroit. A few minutes before landing attempted a fellow passenger, the 23 years old Umar Farouk Abdulmutallab, reed pen with the chemical to cause an explosion. The fire that began while it was noted by other passengers, including Schuringa. Schuringa said immediately responded and together with the crew to have extinguished the fire starting, and then the crew in the passenger restraint have taken. Umar Farouk Abdulmutallab was, with second-degree burns, in custody. Schuringa was minor burns to one hand on the incident. …”

The obvious information risk, and somehow criticism, is clearly stated by the details on Jasper Schuringa birth (1971 or 1977) and professional activity (past and present). Not a big issue for sure seen that he saved many lives, but the English version of Wikipedia is supported by a wealth of references which give the impression that the information related to Jasper Schuringa is the most factual and real. The dutch version doesnt contain any reference at all. The reader is left to his own, in finding which article on Janish Schuringa contains the most real data. BTW this wouldnt be a problem if the article on Northwerst Airlines Flight 253 would not be the most read article according WikiRage, the tool for researching the most read articles on Wikipedia.

Risk IT by ISACA, here we go with another standard !

admin — Wed, 23 Dec 2009 05:16:18 +0000

Zurich, 23. december 2009. Global IT governance organisation ISACA has just launched a best practice framework to provide a further link between enterprise risk and IT risk management. “Risk IT” builds on COBIT 4.1 and is aimed at helping companies identify and manage IT-related business risks. The focus of “Risk IT” is essentially on the mismanagement of risks affecting IT operations, such as late programme delivery, an outdated IT infrastructure or a lack of relevant skills in the specific operations. Risk IT should enable companies to compare their internal risk management practices with the ISACA template, as well as provide a best practice blueprint for those organisations with no plans in place. It ought to be seen, how Risk IT will fit in an environment, Risk Management, which has already (too) many standards and way too few practical tools. At MinimaRisk we addressed these pitfalls be developing a tool, MinimaRisk conceived to lower exactly all types of risks, related to operations or projects.

Biggest hurdles in contemporary Risk Management?

admin — Tue, 22 Dec 2009 04:57:17 +0000

Geneva, 22. december 2009. Finally just in time for the end of 2009, the newest standard in Risk Management, ISO 31000:2009 has just been released. ISO 31000 helps organizations drafting a much better and comprehensive risk management. The familiarity of this standard with its Australian/New Zealand counterpart, the widely known AS/NZS 4360:2004 is evident. ISO 31000:2009 is an heterogenous standard which can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets. Nevertheless the biggest hurdles in risk management do not usually come from a misunderstanding of concepts, but from a difficulty translating those concepts into practical tools and processes. How should we measure risk based on available information? What forms and reports do other organisations use? These questions have been widely researched by MinimaRisk, and it is for that we came up with our Risk Management solution. The only possible answer for an easy to use instrument, made to turn risks into operational opportunities.

Cours Exclusif sur CobIT à Paris

admin — Mon, 21 Dec 2009 08:56:44 +0000

Paris 21.12.2009. En cette fin d’année 2009, MinimaRisk France vient de terminer le contrôle qualité d’un séminaire exclusif planifié en 2010 à Paris. Ce cours de trois jours prépare les Participants à la meilleure pratique de CobIT. Ce cours inclut notamment les concepts de « Val-IT » et « Assurance Guide », et aborde les notions de « Balance Sorecards » ainsi que les principes du Modèle de maturité. La session aboutit à l’examen de la certification CobIT 4.1 Foundation. Un examen exigeant, reconnu par l’institution internationale ISACA.
Selon Philippe Mialet, Directeur de MinimaRisk France, ce séminaire CobIT apporte les avantages suivants : “…CobIT devient un outil très important des activités d’audit et de contrôle des Processus, parfaitement intégrable avec ITIL V3 et ISO 20000. Ce séminaire fournit aux Participants un guide précieux afin d’améliorer la gestion de leur services informatiques en alignement avec les exigences des métiers de l’entreprise…”.

A propos de MinimaRisk : MinimaRisk est une société Franco-Suisse de conseil dans la Gouvernance d’entreprise, la Gestion des risques et la Conformité aux règles établies. Dans ce cadre, MinimaRisk possède un outil dédié à la gestion des risques opérationnels, logiciel axé sur les besoins pratiques et actuels d’un gestionnaire de risques soucieux de mettre en place un système de contrôle interne global. Le siège de MinimaRisk est en Suisse avec deux représentations (Zürich et Genève) et une représentation en France (Paris). Les équipes de MinimaRisk sont certifiées CobIT, ISO 27001, ISO 20000, ITIL Expert, Prince2, Management of Risk). Nos missions de conseil et de formation sont données en cinq langues et sur deux continents (Europe et Afrique).

Exponential rise of ISO 27005

admin — Sun, 20 Dec 2009 09:29:38 +0000

Zurich, 20. December 2009. MinimaRisk research division watches the overall increase of interest of the new IT Risk Management spinoff standard of ISO 27001, that is ISO 27005 Risk Management.

ISO 27005 IT Risk Management provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and it is designed to assist the satisfactory implementation of information security based on a risk management approach.

There is indeed an overall increase in interest over time, as illustrated by this graph illustrating the number of searches that Google Insights has registered since 2004 on “ISO 27005 Risk Management”:

ISO 27005 success is hence tightly correlated with in relationship with ISO 27001 (formerly BS 17799). Today IT departments are confronted in a need to regulate their activities, specifically to align the service according Governance, Risk Management and Compliance (GCR) requirements. By doing so, the importance of ISO 27005 Risk Management will continue to growth well into 2010.

(Français) Gouvernance et Audit en 2010 toujours un risque

admin — Wed, 16 Dec 2009 20:14:26 +0000

Sorry, this entry is only available in Français.