Company risk management in the field of information security

Introduction: Risk Analysis

These days there are very interesting opportunities for business in incredibly diverse environments. This diversity brings enormous opportunities for every business entity. However, we have to realize the rules. Where there is an opportunity, there is also a risk. The greater opportunity there is, the higher risk can be expected. The companies realize this fact and they focus on the analysis of opportunities using CRM and other specialized tools. The area of opportunity evaluation has been thus mastered. If the company focuses on risks, it realizes the risks exist. In addition to the awareness of the risks, there are plenty of questions. Which risks can be assumed? Where does a risk arise from? Where do we face vulnerabilities? Can we defend ourselves effectively? We should realize that these risks are not general. The risks the company is currently investigating are included in the area which is definitely not static. They include information. Information has interesting features. They are created, modified, transferred, they disappear and, above all, there is a great interest in them. The result of these questions consists in, at best, several tables which try to describe this issue. Their topicality disappears gradually with the fluctuation of human resources. The attempt to manage risks is supported by a table with a promise that the person in charge will meet the requirement and implement the measure. In the worst case, the persons in charge will be frightened of the rather difficult task assigned to them by the management, and with the excuses that it will not be possible, they will not even start. I will try to point out to some key milestones which lead to control the risks in the company.

Determination of the key services of the company

At the beginning of the risk analysis, we have to determine the key services of the company that the risk analysis will address. For the right choice, we can focus on the areas, the internal operations in the company, the services provided to customers, the services with high creditworthiness, the services with high penalties, the services with confidential information, etc. The risk analysis of the defined service uses the term Primary Asset.

The determination of the company’s assets

Each service provided requires premises, human resources, equipment and information. We will use the common term Asset. Therefore, each service in the risk analysis needs to be determined as the key asset. With the increasing number of services, there is an increasing number of assets. Moreover, some services use the same assets. This is the moment when the tables stop to work properly, and the system becomes unsustainable. It is appropriate to define the types of assets, individual items and to sort them out by the type to persons, hardware, software, network elements, information, etc. It is much easier to obtain control over a smaller group of elements.

Evaluation of the company’s asset

• To evaluate the asset, it is advisable to use three aspects of information security
• Confidentiality - the level of confidential information with which the asset comes into contact
• Integrity - the value of the impact of the unauthorized change to the information
• Availability - the value of the impact of the unavailability of the information
Using the appropriate methodology, we will determine the asset value, thus obtaining the attribute, on the basis of which we can determine the priority of individual assets.

Defining the threats and vulnerabilities

This area will provide the company with the first answers to the above questions in the creation of the risk analysis. For beginners, it is advisable to base on the list of standard threats and vulnerabilities. More advanced and experience persons can create threats based on their experience and the knowledge of their company. Just ask yourself: “What can pose a threat to the information?” Consider the printed form, electronic form on a medium and electronic form in information systems. I think that for example a fire, flooding, theft, vandalism or user error come to the minds of most of us. The modern threats include multiple forms of cybercrimes, ransomware, phishing, malware and others. There are also some special threats arising from the services provided to the customers. Such threats are advisable to be discussed directly with the customer. It is recommended that the procedure for risk assessment is agreed. The determination of vulnerabilities include the awareness of the way the threat affects and damages our assets. Such vulnerabilities include identity theft, malicious code introduction, unauthorized changes, unauthorized access and others.

Risk Assessment

The perception of risk is very subjective. Therefore, it is appropriate to introduce a uniform methodology. For smaller companies with max. 250 employees, where fewer services and assets are assumed, the attributes of the asset value and the impact of the threat and the predicted occurrence of the threat are enough. Multiplying these values, we will obtain the sufficient range of values. For companies with more employees or with a robust information environment, you can choose from a wealth of methodologies which will meet some very stringent requirements. In addition to the calculated value, the detailed description is very important for proper understanding of the risk. The description will guarantee continuity and, in particular, the right understanding of why we perceive the risk at this level. Upon subsequent check or submission to the company management, we have prepared transparent documents with the reason for the risk value.

And that is it. Maybe...

With this step, we have achieved the goal. We have described our company in terms of the risk analysis. We have an overview of the key services, we have the key assets under control, we know threats, we know risks, but... At this moment, the company has learned that besides opportunities, there are real risks, which are described and whose values are calculated. And what else?

Risk management plan

Now we are approaching the key stage, when the company starts to deal with the detected risks with a suitable strategy. At the beginning of the plan preparation, it is advisable to set a minimum risk value, from which the risk will be dealt with. The defined risks shall be treated by activities that are called “measures” in the analysis. There are a plethora of measures offered. For the sake of clarity, it is appropriate to base on the recommended set of measures from the standard ISO 27002 or use the recommendations CIS in the area of internet security. This allows compliance with ISO 27001.

Ensuring effectiveness in the implementation of measures

Prior to the actual implementation, the impact of the selected measure on the existing risk value should be evaluated. The persons in charge, therefore, determine the value of the expected residual risk. Thus, we will prevent inefficient implementation of measures with no effect on the actual risk. For the effective implementation of the measure, the persons in charge should ensure sufficient information for decision-making by the company management. The important information includes the estimated cost of the measure, the capacity of human resources and the estimated time of implementation. This avoids the situation when the actual cost of implementation disproportionately exceeds the cost of the accepted risk. An integral part is to verify the functionality of the deployed measure and to check the actual impact on the asset.

Maintaining the risk analysis functionality

With the above steps, the company has obtained the real risk analysis. To maintain the tool in the functional condition, it is appropriate to perform some periodic activities. The check for up-to-date services and assets. Updating the threats and vulnerabilities Risk review and risk re-evaluation. Updating and checking the measure implementation plan. Thus, we have achieved the imaginary goal. The risk analysis is, however, a living organism, constantly evolving. It falls within the field of continuous improvement and it is applicable by the method PDCA.

Risk analysis and our company

Our company went through similar situations mentioned at the beginning of this article. The beginnings were hard. We sought for the certification ISO 27001, the risk analysis was not updated, it was confusing, all tables and chaos. The change occurred after the issues had been understood and there had been some investing in the development of the Risk Analysis Application. Thanks to the increased asset transparency, the creation of threat codebook and the detailed descriptions of risks, everything began to make more sense. The results of the risk analysis can be presented to the company management in a transparent manner. The introduction of the standardized measures of ISO 27002 and the measures CIS set a clear standard for the implementation of appropriate measures. Now we have introduced the module of ISMS Audit into the Risk Analysis Application. Thanks to this, we have the issues of information security in one place. Thus, we can focus on the current situation more, here and now. This is essential for safety.

Conclusion

I thank the readers who have reached this point of the article for their proven persistence and determination. Information security and the actual risk analysis is a very interesting area for IT people and geeks. It adds a connecting element in each sector; the element is the sense of security.



Václav Voříšek
Security director, COM PLUS CZ a.s.