The company's information security risk management model will be built on the general mechanics of controlling the risks of a particular business.
One of three concepts can be implemented:
- situational response;
- reliance on the recommendations of regulators;
- reliance on international standards.
If a company is not a personal data operator, whose activities are subject to serious regulatory requirements, does not process biometric or medical information, and the number of user accounts is small, then in its activities it rarely uses an information security risk management model based on strategic concepts.
The way to minimize efforts in the absence of strict regulatory requirements, but with the intention to reduce the negative consequences of information leaks and hacker attacks, is built using the following mechanisms:
- creation of a relevant threat model with an eye on the current situation with the spread of malware;
- building a trade secret protection regime at the enterprise with the creation of a list of documents and data related to this category, and a list of persons authorized to use and process these documents;
- installation and updating of firewalls and antiviruses built into operating systems, and additional purchase of standalone software to ensure security;
- using data encryption if necessary.
Along with these obvious ways to minimize risks, standard security and HR practices are used to maintain the level of information security:
- informing and training its personnel about the presence of information security risks;
- introduction into labor contracts of a condition on the observance of the trade secret regime;
- material incentives for staff for their conscientious attitude to data security;
- providing access control and video surveillance at the enterprise;
- ensuring control over the use of mobile devices and removable media;
- development and adoption of local regulations defining the main safety regulations.
Comprehensive implementation of standard techniques, even without the use of specialized methods for controlling information security risks, reduces the likelihood of threats being implemented.
If a company is in a high-risk area, simple techniques will not help eliminate most threats.
The high-risk category includes enterprises that:
- process personal data of citizens in a large volume. Now this information is most popular on the black information market;
- belong to companies in the financial sector. Attackers are interested in information about citizens' accounts or access to them;
- are the owners of critical information infrastructure facilities operating in the field of communications, energy, defense;
- use ACS production. Its failure can cause serious accidents.
In these cases, companies will have to take their own information security risk management strategies more seriously.
First of all, you will need to focus on the requirements of regulators, which include:
- Central Bank of the Russian Federation (for banks and companies operating in financial markets);
- FSTEC RF;
- FSB of Russia.
Government departments propose standards for building a system of organizational measures to protect against information security risks, establish rules for the use and certification of software and hardware. Compliance with regulatory recommendations can sometimes be costly for companies, especially when it is necessary to install certified software and qualify the premises according to the required safety levels. But these costs are partially offset. Thus, the need to independently create information security risk management technology, a threat model and a list of necessary protection measures disappears.
Companies operating in the international market are guided by international standards - ISO, OCTAVE, CRAMM, RA2 in matters of information security risk control. Sectoral methodology of the Bank of Russia RS BR IBBS 2.2. can also be applied to enterprises in the non-financial sector.
The standards implement a risk management system based on: identification, assessment, acceptance, treatment, assessment of consequences.
Each stage of interaction with risks is regulated, as a result of the implementation of the methodology, quantitative indicators of the effectiveness of the work done can be obtained. After the implementation of the system, the company can order the certification of its activities for compliance with the methods. Such certification will prove to be a serious competitive advantage if the organization operates in the sector of the international economy, where increased attention is paid to information security.
The applied risk control techniques are divided into two groups - qualitative and quantitative. They allow you to assess the likelihood of risks and the degree of danger of their consequences, the amount of damage that can be caused to the organization.
There are two prerequisites for certification of an organization in the international information security risk management system:
- creation of a separate unit responsible for risk assessment;
- adoption of a risk assessment and control policy.
The document may have a different name, but its essence is unambiguous - an exhaustive list of regulations for the control of information risks.
Mandatory sections of the policy:
- objectives of risk management, for example, their minimization or acceptance;
- the risk management processes used;
- damage assessment criteria;
- risk assessment criteria;
- functional tasks of departments.
The policy is approved at the level of the company's management and is mandatory for all divisions.
Among the objects in the sphere of interests of the company, risks can be assessed according to the following groups:
- information system and information arrays;
- services and application;
- business processes;
- equipment and its performance;
- cloud services;
- partners and clients.
It should be borne in mind that with a high level of protection of the company's information system, attackers in the search for information about it can expose the IS of its suppliers to attacks. Professionals in the field of information security, when recommending a mechanism for introducing a risk management methodology, consider it necessary to limit themselves at the first stage of creating a system to one object, for example, an information base or an auxiliary business process. Testing the technology on it will help identify vulnerabilities in the management system of the company and information processes in it, and while scaling the technology, expanding the scope of its work to other objects, to avoid mistakes and ineffective waste of resources. After testing the technology, the information security risk control system should be extended to all facilities of the company and its divisions.
At the first stage of the development and implementation of an ISMS, it is necessary to work to identify and describe the risks and identify the assets that should be protected. Information assets can be ranked according to their value to the organization and by other criteria, for example, whether they relate to data subject to legal protection.
Typically, an organization has the following groups of assets for which an information security risk management system should be implemented:
- personal data;
- strategic plans of the company;
- client databases;
- know-how and scientific developments;
- service secret.
In order to protect these groups of information, it is necessary to introduce a commercial secret regime at the enterprise, then its violators can be brought to various types of liability - from disciplinary to criminal. The list of identified assets to be protected should become an annex to the risk control policy. Additionally, you must specify the owner of each information asset, appoint an employee or department that will be responsible for data security.
Along with identifying assets and their owners, it is necessary to describe the business processes associated with protecting against risks. The use of special programs for describing business processes will help to optimize them, reduce unnecessary links in the organizational chain or personnel, and reduce costs. The description of processes related to information security can become a starting point for optimizing all business processes of an organization.
Determining the value of an information asset and measures aimed at protecting it, their value, it is necessary to proceed from the principle of commensurability. The damage can range from low to significant, and this ranking may not be consistent with the confidentiality rating. If some information protection measures may be excessive for minor damage, all available measures should be taken for an object of critical value.
Critical assets include:
- state secret, if it is available to the company in connection with the specifics of its activities;
- information about assets, accounts, deposits, other tangible assets;
- scientific research, new developments;
- personal data.
It is extremely important to confirm the valuation of the information asset. This can be done by ordering the services of an independent appraiser, who will determine its value based on market, cost and profitable methods. Such an assessment will help in a litigation if it is necessary to prove its amount in order to compensate for the damage caused.
When assessing threats and risks, it is necessary to proceed from two criteria:
- the likelihood of the threat being realized;
- the degree of damage that can be caused by the threat.
A quantitative assessment of risks and the potential for their realization is more important and accurate than a qualitative one. But some information assets cannot be quantified only. This encourages a balanced approach when building a system for controlling information security risks. Such a comprehensive solution, combining national and international standards, will help improve the level of information security in the organization.