IT System Risk Assesment
The area of information security in its essence is a response to business instability triggered by a number of internal and external factors.
Inherent vulnerability of information resources, systems and processes represents a constant organizational threat as these weaknesses can be used in different threats, which could result in profitability disturbance, loss of reputation, etc.
The implementation of measures for information protection, their continuous control and enhancement implies prevention mechanisms and prompt incident response, as a defense against potential losses.
On the other hand, complete and “impenetrable” information system protection is a utopia, not only due to an impossibility to provide a profitable account for investment costs, but also due to common unfeasibility of adequate security measures.
To provide organizational Management Board with a clear and accurate insight into all weaknesses of the current situation and offer a subsequent selection of adequate protection measures, it is necessary to carry out Risk Assessment of information resources.
As a crucial element in the implementation of the information security management system, Risk Assessment is a complex project, which includes the following phases:
- Identification and records of information resources, nomination of their owners and security categorization (integrity, availability and confidentiality) inside the Registry of Resources
- Allocation of potential internal and external threats to resources
- Detection of vulnerability of resources that can be used in threats identified
- Assessment of plausibility of execution and impact of threats on the entire business
- Identification of security risk levels for subsequent priority classification
- Risk management mechanisms (risk reduction, avoidance, transfer and acceptance)
Due to complexity of the solution concerning its implementation and data, the process should include the best practice methodology, which provides not only easy-to-consult information storage, but also an efficient data updating mechanism, and the criteria of uniformity, objectivity, reliability and repeatability.
Specifically, continuous changes in business conditions, a turnover of personnel, evolution of company products and services impose a continuous character to the Risk Assessment concept, as a single method to provide permanent applicability and efficiency in the given information systems.
The analysis of the risks obtained is divided into a quantitative (the risk is ascribed a specific, most commonly monetary value) and qualitative (subjective risk parameter assessment) analysis.
Both methods have their advantages and disadvantages, and the methodology that uses their combination in different phases of the process is an optimum selection for the majority of organizations.
ECS uses a deductive approach to this analysis, starting with the business and IT processes and ending with the information resources.
The decisions concerning the values of processes and resources, severity of vulnerability and threats, and their plausibility and corresponding damage assessment are ceded to nominated owners of resources, as the most competent persons in their line of work.
This segment is followed by a comprehensive analysis of all risk assessments, used to prepare a report for the organizational Management Board on threatened business areas classified into priorities, with recommendation of risk management measures.
Whereas the motivation for information security issues can come from a variety of sources (a need to feel secure, prevention against repetitive incidents, legislative and professional obligations), it is impossible to obtain an efficient result, i.e. achieve and maintain a satisfactory level of security without a system based on priorities of importance and vulnerability of information resources, as essential business factors.
A comprehensive analysis produces identification of business segments with more security levels, which can be used to develop Risk Management Plans. These plans will provide prompt protection for most important resources and thus account for investments and allow further development of organizational information security.
In contrast with this exact approach, the protection mechanisms can be a product of better organized units and conscientious individuals. However, without a declared intention and support of the Management Board it is impossible to consider this issue as a whole and to provide efficient information resources management.
The engagement of an external company for the initial Risk Assessment and potential subsequent personnel training, as the Employees will then be able to carry out regular smaller scale updates independently, facilitates cost reduction as it is no longer required to have permanently employed in-house specialists.
From its initiation, development of a comprehensive Registry of information resources, identification of threats and vulnerability, assessment of security risks – the entire process is difficult to implement without the use of adequate software tools and know-how.
Whereas the procurement of technical solutions is no longer a problem, as their range is increasingly broader, the selection of optimum tools that comply with their marketing declarations and specific Customer requirements is not an easy task.
Due to heterogeneity of this issue, automatic mechanisms cover only a portion of the Risk Assessment challenge.
Exhaustive and continuously amended lists of vulnerability and threats, particularly for IT resources, practical experience with risk quantification and recommendations for protection measures, and project approach with precise deadlines used by internationally certified ECS security specialists guarantee a professional approach and account for the investments in information protection mechanisms.
An information confidentiality agreement.
Contact with the persons in charge inside the organization (Board Members and business process/organizational units Managers).
Allocation of time to Employees, process and resources owners to participate in the project in compliance with the Project Plan.
PRODUCTS AND SERVICES
- Development of a Registry of Information Resources
- Identification of threats and corresponding vulnerability of
- Risk assessment for information resources based on plausibility of threats and their business impact
- Risk quantification
- Development of the Risk Management Plan and a proposal for security measures based on graveness of resources
- Presentation for the Board Members