Risk. There are many definitions of this term like high probability of failure or loss. In the terminology of a discipline called risk management, however, it means simply the probability of an occurrence of an event which causes damage. These events can be caused by natural influences, problems of current complex technologies or by a failure of human factor. Every day we run the risk – on the field of business, finance, security, etc. To manage these risks, it is usually necessary to recognize them in advance and in the best possible way, what allows us to take certain steps for eliminating risks.
And in terms of information, it is desirable to carry out such measures, which are able to protect our information from safety risks. However, this effort is effective only if we invest our financial resources in such a way that the price of protected values (assets) is proportional to the cost of protective measures, which in turn depends on the extent of the threat.
The goal of the risk analysis is to identify assets and determine their importance for the smooth functioning of an organization (rating assets) to find possible sources of danger (threat) of those assets, to evaluate current method of protecting, to find the existing weak points of such protective measures (vulnerability) and to determine the final size of the risks threatening the assets.
The process of risk assessment consists of:
Developing a model of company assets (identification and assessment of assets)
Analysis of existing security measures and determining vulnerability of assets
Identification of the relevant threats
Identification of the risk of disruption from the perspective of the confidentiality, integrity and availability
Recommendations to remedy – a proposal for modification of existing measures and possibly implementation of other supplementary measures to ensure adequate protection of information in accordance with their prices and the level of their exposure.
The primary purpose of risk analysis is not only recognizing assets (information and resources to process), threats and weak points of protective measures, but particularly determination of necessary expenditure on asset protection against potential losses.
Detailed identification of key assets (not only information), weak points in the operating procedures and in methods of technology usage – a comprehensive overview of the possible threats to your information
Basis for management decisions on risk management
Proposing specific measures to remedy the shortcomings sorted by the priority of implementation and performance
Analysis output in accordance with requirements of the ISMS (structure of documentation, linkage between selected measures and normative controls – all according to the statement of applicability and other requirements of the standard)
Used methods and procedures applied in risk analysis are based on:
Slovak legislation (eg Act No. 122/2013 Coll. on Protection of Personal Data)
ISO / IEC 27001 (ISMS standard base)
ISO / IEC 27002 (formerly ISO / IEC 17799)
If you are interested in more details please contact us.