INFORMATION SECURITY RISK MANAGEMENT

www.pecb.com

When Recognition Matters

//////////////////////////////////////////////////////////////////////////////////////////////////////

At the beginning of this year, we have seen a large number of articles, top security companies, magazines and bloggers predicting that the number of information security threats will just get worsen, even while investments are made more and more on information technology to ensure a better business performance. Top Lists of information security threats were more spread over the month of January than IT developments or information security best practices used during 2014.

In general, all conclusions about predicted threats come to a point where it is said that securing information systems from suspicious activity and breaches can be done by developing an enterprise-wide approach to information security, supported by management. A wide approach of information security would be included within a risk management system.

Risk management in information security means understanding and responding to factors or possible events that will harm confidentiality, integrity and availability of an information system.

The very first step that should be included in any risk management approach is to identify all assets that in any way are related to information. These assets can be different applications or can be servers, networks routers, switches, back-up disks and systems, laptops, computer desktops, mobile phones, or different devices which are used to process, transmit and maintain information. Asset can be a document, a research results, and basically anything that has a value for the company. Sometimes, information security itself is considered asset.

The second step includes identification of threats toward identified assets. Threat is a potential cause of an unwanted incident, which may result in harm to a system or organization. Threats can be a theft, virus, disclosure of important data, floods, infrastructure or software failure, hackers, etc.

As a third step is to identify vulnerabilities. These vulnerabilities can include a wide range of cases: no data backup, no encryption, weak passwords, no remote wipe, no surge protection, no training, no access management, no firewalls, no business continuity plans, etc.

INFORMATION SECURITY RISK MANAGEMENT2

INFORMATION SECURITY RISK MANAGEMENT

For every identified threat there should be calculated the likelihood that specific threat would exploit specific vulnerabilities. Likelihood is the chance of something happening. Here it should be included other data which are used to calculate the percentage or the likelihood then different statistics which would show data breaches, complains, security incidents, etc. Different companies use simple ranking system such as: high/medium/low.

For every calculated threats’ likelihood there should also be included the impact or consequence that this incident can have in organization. This would result in a risk ranking list. From top to bottom, every identified risk should be included together with the solution’s cost or the planed treatment cost. Then, based on this result the company could proceed with the risk evaluation. This includes the comparison between the estimated level of risk against risk evaluation criteria and risk acceptance criteria. This process would decide which of the threats should be considered.

Sometimes, organizations decide to accept, transfer, avoid or mitigate risk. All this depends on organization’s strategy and operational needs. Risk treatment comes as planned activities, which should be classified in order of priority and also during this process it should be allocated the necessary resources to the treatment plan.

All steps explained above are part of different approaches and methodologies that a company can use for risk management. These steps sometimes are referred as a risk management life-cycle which in general terms can be found as a: risk identification, risk analyses, risk evaluation, risk treatment and risk acceptance. Such structure can be found standardized in ISO 27001 standard, which has already become an information security management standard for companies of all sizes and in all industries.

ISO 27001 includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. This standard aligns with the principles and generic guidelines provided in ISO 31000. The requirements of ISO 27001 are supported also by ISO 27005, in which standard can be found the guideline for information security risk management in an organization. Adding here ISO 27000, which explains the definition of terms that are related to risk management and are found in ISO 27001 and ISO 27005.

One of the clauses that ISO 27001 has is clause number six which requires defined process to implement the appropriate measurements/controls in order to eliminate or minimize the impact that various security related threats and vulnerabilities might have on an organization.

3

//////////////////////////////////////////////////////////////////////////////////////////////////////

Moreover, ISO 27002 gives guidelines on how to select controls within the process of information security standard, how to implement these controls and how to develop new controls taking into consideration the organization’s information security risk environment can be very useful.

As a conclusion, nowadays the value of information has reached a critical point becoming one of the most important assets that a company can possess, while collecting, processing, transmitting and storing has become too complex.

It is up to organizations to decide for a specific approach for information security risk management system and all this depends in its scope, context of risk management, or industry sector. However, it is very important to consider the existing methodologies that have already shown good results.

PECB International is a certification body for persons on a wide range of professional standards. It offers ISO 27001, ISO 27002, ISO 27005, ISO 20000 and ISO 22301 training and certification services for professionals wanting to support organizations on the implementation of these management systems.

ISO Standards and Professional Trainings offered by PECB:• Certified Lead Implementer (5 days)• Certified Lead Auditor (5 days)• Certified Foundation (2 days)• ISO Introduction (1 day)

Lead Auditor, Lead Implementer and Master are certification schemes accredited by ANSI ISO/IEC 17024.Rreze Halili is a Security, Continuity and Recovery (SCR) Product Manager at PECB International. She is in charge of developing and maintaining training courses related to SCR. If you have any questions, please do not hesitate to contact: scr@pecb.com.

For further information, please visit www.pecb.com.

INFORMATION SECURITY RISK MANAGEMENT4

//////////////////////////////////////////////////////////////////////////////////////////////////////

ISO 27001

ISO 27005 ISO 31000

ISO 27002