Risk Management to direct, control and carry the risk related to Information security at levels acceptable to the organization. Practicing this activity requires a series of processes and procedures that need to be aligned with a well-established and consistent methodology. In addition to optimizing information security resource expenditures, risk management also keeps the organization prepared to address incidents related to Information security.
Risk management is not yet a common and consolidated practice in the Brazilian market. Although Information Security has gained notoriety and become a concern in organizations, risk management has not yet received the same treatment.
Risk management assists in the creation of action plans after defining operational risks, technological risks, business risks and can be applied in various situations, such as:
• Face problems with unnecessary IT spending;
• Measure impact through unavailability of critical assets and processes;
• Classify the criticality and risks of assets and processes, as well as check for conflicts;
• Plan mitigation actions related to vulnerabilities.
Risk Management Research
Research indicates that organizations have difficulties in initiating and maintaining risk management and these difficulties are precisely at crucial stages of the process, such as following a guideline standard, correctly defining the scope of risk analysis assets, mapping new risks, identifying vulnerabilities and risk reassessment.
According to research released by Assepro Nacional (Association of Brazilian Information Technology Companies) this year, 70% of national companies already prioritize Information Security and understand its importance for their business objectives. In a survey conducted by KPMG in Brazil with about 70 companies from different sectors in the country, only 44% perform the Risk Management activity.
Given this scenario, it is clear that there is a concern to keep the organization's information secure, probably investing in specialized equipment and software, but not the same care in planning these actions to minimize risks and even avoid unnecessary costs for the organization. .
THE risk management can be performed based on standards created specifically for the subject, among the most used in the market are the ISO 27005 and ISO 31000.
THERESO 27005 has a unique and unique vision for information security risks and guides every step of a risk assessment from risk analysis to risk management. According to ISO 27005, they are:
Definition of Context or Scope
Assessment of risk estimates made
Already ISO 31000 deals with risk management at a corporate level and not just within Information Security, providing details of probability calculations, consequence assessment.
There are currently a number of specific risk management tools such as RSA Archer, which in its Risk Management module assists with all stages of risk management.
However, following a standard in addition to having a tool is no guarantee of success for risk management. A skilled team is required to perform this activity and achieve the benefits generated as:
• Resource optimization;
• Cost reduction;
• Taking advantage of new opportunities;
• Improved planning;
• Reduction of surprises and unexpected losses.
The fact is that the benefits of well-executed risk management are numerous for the organization, from calculating ROI to identifying business opportunities during analysis.
Risk management is a dynamic, continuous process essential to the good governance of any organization. Therefore, all organizations must have the ability and competence to diagnose, prioritize, monitor and address their risks, always aware of changes in the internal and external environment so as not to be surprised by unknown or uncontrolled risks. There are many challenges encountered in carrying out risk management and to face them requires a team prepared to do so. With well-executed and well-managed risk management, the benefits to your organization will undoubtedly be satisfactory and bring countless opportunities to the business.
* By Protásio Campina Junior - He is Information Security coordinator
Regarding the [SAFEWAY]
SAFEWAY is an Information Security company, recognized by its customers for offering high value added solutions through Information Security projects that fully meet business needs. During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.
Today through more than 20 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.
Let's make the world a safer place to live and do business!