Gary Gaskell
Infosec Services Pty Ltd
Gary is a security risk management specialist with 24years in the information security field. His career started as a technologist in security development and system/network administration. Since 1997 Gary has worked in cyber security for government and industry on application security, network security, security policy, SCADA security and information security management systems. This work includes the establishment the IT security risk management processes in a fast growing bank. He recognises the importance of clear executive level communication and currently assists large enterprises in understanding their security risks and how to protect against those risks. He has been a pure play security specialist his whole working career - from before it was popular. He holds a research masters degree in information security and two bachelors degrees (Electronic Systems & Computer Engineering and Information Technology). He is a Certified Information Security Manager (CISM), Certified Information System Security Professional (CISSP), a Certified Information Systems Auditor (CISA), Certified Cloud Security Professional (CCSP), Certified Professional - Cyber Security (ACS) and is a graduate member of the Australian Institute of Company Directors. He volunteers time for Crikey Con and for an IT security committee for Standards Australia (and for the presentation of this tutorial at the AusCERT conference!). Gary_Gaskell-Info-Security-Tute-Handouts-1-Morning-at-AusCERT2018 Gary_Gaskell-Info-Security-Tute-Handouts-2-Afternoon-at-AusCERT2018

TUTORIAL: Information Security Risk Management

There is a great diversity of opinion on where and how best to protect data and information systems. It is common for so-called “experts” to disagree, sometimes quite fervently. To obtain a clear and consistent view of good security, the best practice approach is to utilise risk management techniques. Risk management can ensure that no weak links in the (security) chain are overlooked and that the most important issues are made a priority action item. Risk management is not rocket science, but it is a significant departure from the traditional control and vulnerability based approaches to information security management that are commonly used by technologists. This tutorial will cover the basics of conducting risk assessments and the whole risk management process. In the afternoon a ‘hypothetical situation’ will be used to apply the theory and develop participants’ proficiency in the application of risk assessment and risk management techniques for their organisations. We will also explore the specific challenges for cyber security and what to do about them. At this tutorial you will be provided with the skills and techniques to identify, assess and evaluate IT and information security risks and to translate the information into a business context for your senior management. This tutorial will assist technologists and IT managers to determine work priorities and to enhance their credibility with senior management