Security Risk Analysis & Assessment, and ISO 27000 Compliance
THE SRM TOOLKIT
This is widely considered to be the ulitmate toolset for security risk professionals.
It can now be viewed on its own dedicated website: www.risk.biz
The Leading Security Risk Analysis and ISO 27000 Compliance Tool
Why do most major businesses and many public organizations now employ a formal security Risk Analysis methodology? What tangible benefits and advantages does such a program actually bring? How can these be maximized? To answer these questions, we need to go back to the basics and also ask 'what is risk analysis?'.
A classical definition of Risk Analysis is one which describes it as a process to ensure that the security controls for a system are fully commensurate with its risks.
This description is accurate, at the highest level. However, there are many other almost equally beneficial advantages. The list below was compiled by an existing COBRA customer:
Cost Justified Security
Additional security almost always involves additional expense. As this does not directly generate income, it is important that this is justified in financial terms. The Risk Analysis process should directly and automatically generate such justification, vindicating all the security recommendations made.
Business Related Security: Breaking Barriers
Risk Analysis should not only direct appropriate information at both department management and IT staff, but play a major and pro-active role in enhancing the understanding of each, of the needs and role of the other.
Greater Productivity: Audit/Review Savings
A Risk Analysis program should increase the productivity of the security or audit team. By creating a review structure, formalizing and automating the review, pooling security knowledge in the system's "knowledge base", and utilizing "self-analysis" features, much more productive use of time is possible. The ability to 'build-in' expertise should also alleviate the need for expensive external security consultants.
Self Analysis: The Integration of Security
The Risk Assessment system should enable security to be driven into more areas and to become more devolved. It should allow security to become part of the organization's culture, allowing departmental management to take more of the responsibility for ensuring an adequate and appropriate level of security.
Better Targeting of Security
Security should be properly targeted, and directly related to potential impacts, threats, and existing vulnerabilities. Failure to achieve this could result in excessive or unnecessary expenditure. Risk Analysis promotes far better targeting and facilitates accurate security decisions.
Increased Security Awareness
The wide scale application of a risk assessment program, by actively involving a range of, and greater number of, staff, will promote security as an issue for discussion, and increase security awareness within the enterprise.
The Application of 'Baseline' Security and Policy
Many organisations require adherence to certain 'baseline' standards. This could be for a variety of reasons, such as legislation (eg: Data Protection Act), organization policy, regulatory controls, etc. The Risk Analysis methodology should support such requirements, and enable rapid identification of shortcomings.
A major benefit of the application of Risk Analysis is that it brings a consistent and objective approach to all security reviews. This not only applies across different departments, but different types of department.