Information security risk management in an organization
Modern standards of information security risk management are advisory in nature, but their application is justified by practice. Certification of the company's work according to one of the international standards creates a positive business reputation for it, encourages partners to conclude contracts.
Information security risk management standards
A company building an information security risk management model primarily relies on the ISO / IEC 27005: 2008 standard. The entire 2700 series is dedicated to information security, regulatory documents are developed and approved by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
The purpose of the standards is to offer companies the best practical advice and methods for solving problems in the framework of building a common data security management system.
The adopted standards contain:
- general questions and terminology;
- requirements for building a system;
- norms and rules for creating a data security management system;
- system implementation and implementation guide;
- information security risk management issues;
- approaches to measuring the quality of the security system and auditing the results of its implementation.
Their standards apply to bodies and organizations whose task is to control the construction of management systems and their certification. Certain regulations cover the issues of telecommunications companies, ensuring business continuity in the face of various and unpredictable threats, network and application security.
The ISO / IEC 27005: 2008 standard provides a methodology for assessing threats in the field of telecommunications and can be applied to the activities of private companies, government agencies, and non-profit organizations. It is based on the ISO / IEC 27001: 2005 and ISO / IEC 27002: 2005 standards (requirements and practical guidance on methods of protection) and is not applicable without their implementation. The purpose of applying the standard proclaims the impossibility of adversely changing the business goals set for the company.
The standard understands information security risk as a potential threat to the normal operation of a tangible asset or a group of valuable properties that can harm the company. The standard calls it prevention the main method of risk management, by which it understands a business solution that will allow one not to be involved in the area of implementation of threats or leave the area of its potential occurrence.
With regard to information security risk management, the standard proposes to apply the following types of procedures:
- communication or exchange of information about potential threats to the company within the involved divisions of the company or in external relationships. An example of communication in risk management is the GosSOPKA system, which builds interaction between owners of critical information infrastructure facilities and government agencies;
- quantitative risk assessment. This term denotes the assignment of two quantitative characteristics to the risk - the degree of probability of its occurrence and the amount of potential damage from its realization;
- risk identification. Under this term, the standard understands the process of finding, describing and registering it, including it in the list of threats that are relevant to a particular company. The FSTEC of the Russian Federation deals with the identification of threats, posting a list of them on the website;
- decline. This term refers to actions aimed at minimizing the possibilities of risk manifestation or reducing the potential damage from its consequences;
- persistence of the threat. This is the acceptance of the inevitability of its onset or the refusal to reduce due to inexpediency with the acceptance of possible damage or benefits from its occurrence;
- risk transfer. This means shifting some of the burden of protecting against risk to another company, for example, putting data in a cloud storage that is more secure than the enterprise system.
The structure of the standard is built on the basis of actions that can be performed with risks. It consists of sections describing the actions of the company manager who is tasked with working with security:
- determination of the current state of the system, description of the probabilities of risks occurrence, their identification;
- risk assessment, probability of its occurrence and consequences. For example, having determined the likelihood of DDoS attacks on a company's server, you can decide to increase the bandwidth of the telecommunications channel;
- risk treatment or creation of conditions for its minimization;
- acceptance of the threat;
- threat transfer;
- control and review of risks.
The annexes to the standard suggest a mechanism for implementing these actions. For certain types of risk, restrictions on their minimization are proposed. Each action of the company's management in the process of information security risk management in the company is considered within four stages:
1. Introductory information. Here the process of requesting and analyzing the information necessary to perform a management action is considered;
2. Action. The mechanism of management action is described here;
3. Guide to implementation. Here are practices from other companies that suggest the best way to take action. Moreover, the standard emphasizes that such actions are not comprehensive and exhaustive, the company's consultants can offer a more optimal mechanism for performing the required steps;
4. Output result. This describes the information that should be obtained after completing the required steps.
Prerequisites for the implementation of a risk management model
It is impossible to implement a working information security risk management mechanism in an organization without prior preparation. The standard recommends implementing a systematic approach to risk management, correlating technical and organizational solutions, and acting according to the method of eliminating redundancy, without wasting energy on those risks, the probability of which is minimal. It is necessary to abandon the concept of complete control of all threats, focusing on the most likely or bearing the greatest danger. Otherwise, security measures can interfere with the normal flow of the organization's business processes.
At the same time, the information security risk management system in the organization must ensure the continuity of the process. So, software products for monitoring the health of the system and controlling the occurrence of information security incidents should not only work in a constant mode, but also rely on the ability to continuously respond to them.
Risk management objectives:
- assessment of the current situation, threat model and state of the information system;
- assessment of potential threats;
- processing risks based on a previously developed plan for their tracking and work with them;
- implementation of the recommendations of the standard and independent decision-making.
Good risk management includes the following elements:
- identification of risks, assessment of the degree of probability of their occurrence, financial and reputational damage that the company will incur in this case;
- communicating information about probable risks and their consequences to the company's management;
- prioritization of implemented solutions based on the opinion of the company's management;
- reaching an agreement between all participants in the processing;
- constant reassessment of risks, changes in methods of countering them;
- fixing and analyzing data on the results of countering risks;
- professional development of employees responsible for information security risk management in the organization.
Achieving high results is based on a comprehensive system of risk mitigation implemented at the level of a group of enterprises, an individual company, its division or a local network.
Information security risk management mechanisms
A business unit responsible for information security risk management should be established within the company, which should act on the basis of approved regulations. The provisions describe the key stages of risk management, their content and limitations in the application of individual actions.
Assessment of the current situation
Establishing the context within which it is necessary to make decisions about the procedure for managing the information security risks of an organization begins with the collection of all information about the company regarding the value of its information assets, the state of the information system.
Next, a list of actions necessary for the implementation of the control system is completed:
- empowering a particular department to manage risks, identifying the degree of competence of its employees;
- prescribing the powers of the unit in the regulatory documents, defining the boundaries of its competence;
- engaging an outsourcing organization to solve individual threat management tasks, defining a model of interaction with it.
Next, you need to move on to assessing the scope of actions required to implement the protection strategy.
Criteria for assessing the level of threat:
- strategic influence of the realized risk on business processes taking place in the information environment;
- the criticality for the company of information assets that can become a victim of risk;
- the presence of additional regulatory requirements that determine the degree of protection, for example, the need to protect the personal data of customers or the commercial secrets of the counterparty;
- practical value of compliance with the requirements of confidentiality, integrity and availability of information.
After assessing the risks, it is necessary to develop criteria for influencing them and criteria for the admissibility of the threat. They create thresholds of sensitivity, the excess of which necessitates exposure.
They can be expressed in coefficients indicating the ratio of the costs of minimizing the threat to the expected commercial damage.
After the completion of the risk assessment, the company proceeds to their processing, which is expressed in actions to prevent, minimize, transfer. Cases in which the risk should be preserved, since its prevention will be unprofitable, are separately reflected. The greatest attention is paid to rare but serious risks that can complicate the work of the information system as a whole or stop its functioning indefinitely. Training and informing employees should be carried out in a continuous mode, this excludes both the most important risks and less obvious ones.
Sometimes it is more important to maintain an increased degree of control over the level of information security than to rebuild it. Resources for reformatting the system can be used irrationally, while the requirements of regulators must be strictly observed.
Implementation of the information security risk management strategy, created on the basis of international standards, will secure the organization's activities in the information space.