Risk Management

April 27, 2017 isec No Comments

Service overview

During the life cycle of any IT project, especially those aimed to improve the organizations’ critical infrastructures, the range of threats to information and IT security is constantly changing.

The exploitation of existing vulnerabilities can be devastating, resulting in damages of various types – from the reduction in technical team’s operational capacity due to the load generated by incidents that must be  immediately handled, to the loss of key functionalities and the negative feedback coming from  internal or external customers, or even impacting the organization by obtaining and consequently using sensitive information in an unauthorized manner, and finally paying lack-of-compliance penalties in addition to image loss and customer churn.

Controlling security risks associated with a new or already implemented IT project represents a success factor of the project itself, meant also to reach the required security level of the entire infrastructure.

isec has developed a dedicated service to identify risks, optimal security solutions and associated methods to measure its efficiency. The service can be customized based on the specifics of any infrastructure. When the customer has little or no risk management methodology, isec recommends its own approach of the process.

Methodology

To reduce the IT and information security risks to the minimum, all critical aspects are considered starting from the initial phase of IT project architecture definition, continuing until moving into production, and even more, during the operational life time and at disposal.

We designed this service as a step by step process, closely following the IT project development, allowing this way immediate consideration of the feedback coming from project chronological updates or changes at minimal cost.

The service is divided into three stages, as follows:

  • Security requirements identification
  • Risk analysis and risk treatment
  • Security testing, including a follow-up phase

Interviews are conducted with senior managers (process owners, service and business line managers, interfaced processes representatives), in addition to ​​information security, compliance and technical representatives.

The process continues with risk assessment, which identifies potential threats and their probability of occurrence, their impact assessment and consequently the initial risk value. We propose risk treatment methods such as risk reduction, acceptance, transfer or avoidance. The effectiveness of existing security measures is estimated and new security measures may be proposed.

Once agreed, we recommend implementations measures and estimate theirs effectiveness after implementation. Initial risks are estimated in several iterations meant to reduce them. Depending on the risk acceptance threshold, we identify residual risks.

Deliverable

The final deliverable is a comprehensive set of documents which maps all project phases and provides the customer with complete information regarding the current state of the implemented or under implementation security solution, ways to improve, and recommendations for the next phases.

In general, the following points are addressed:

  • Project context (description, key stakeholders)
  • Project architecture (such as functional and technical architecture; functional, technical and security      requirements; information, users and access levels categories; data flows with inputs/outputs – including the    analysis of security attributes);
  • Risk analysis (critical assets, potential threats and associated risks);
  • Security Solution (existing and recommended measures, estimated efficiency);
  • Analysis of residual risk (residual risks).

Other deliverables, depending on the service selected by the customer, may be:

  • Risk Treatment Plan
  • Controls Implementation Plan
  • Controls Testing Plan