Information and information processing is one of the most critical success factors within all organisations. Accordingly, information security and its management is of major importance in order to protect this precious asset. The protection of information and information processing includes to ask about future threats: IT security risks.
An effective and efficient risk management system is basic for successful IT security management. Standards like ISO 27000-series require risk assessment and risk management as part of an Information Security Management System (ISMS). A systematic risk management approach shall be used to identify and assess risks and prepare treatments. Enterprise Risk Manager™ can facilitate the efforts of risk management.
Risk management in IT Security does not formally distinguish from any other operational risk management. The PDCA-Approach (Plan-Do-Check-Act) also known from quality management visualises the main steps of information security risk management:
It is very important to understand the continuous process in risk management. The risk review is about re-thinking existing risks and their assessment as well as about new risks. The following table provides additional information on the risk management process steps:
|Establishing the Basis||Inventory of information and information processing|
|Risk Identification||- Threat Identification
- Vulnerability Identification
- Control Analysis
|Risk Assessment||- Likelihood
|Treatment Identification||- Cost-Benefit Analysis
- Decision for Treatments
|Monitoring||- Risk Review
- Treatment Monitoring
|Risk Communication||Risk Reports, Risk Charts, Risk Dashboard|
Risk Identification in information security management consists of three major steps:
1. The identification ot assets
2. The identification of threats
3. The identification of vulnerabilities
In order to conduct a risk assessment we need to have clearly identified risks. Two questions need to be asked to learn about the risk:
The results of risk assessments allow to rate risks and prioritise them in order to decide which risks are treated first.
The basic rule for risk treatments is that they must have a return-on-investment higher than one. In other words: the benefits from the treatments must be higher than their costs. Risk treatments can be categorised as follows:
Enterprise Risk Manager™ is a web-enabled multi-user Microsoft .NET application using SQL Server relational database supporting hundreds of decision makers across the enterprise. It includes Microsoft Windows single sign-on authentication, role based security for risk management in context, international dates and currencies, and translatability to any other language.
Enterprise Risk Manager™ is a product within Incom’s overall software suite known as INCOM®, and may be integrated with:
All software has the same look and feel.
Enterprise Risk Manager™ is a very effective risk management software because it ...