Security Risk Analysis: A Step-By-Step Guide
Tech advancements and the current cyber environment pushes organizations to enact measures to satisfy security regulations continuously. What is more, they need to go far beyond the bare minimum to strengthen their ISMS and keep them comprehensive, scalable, and resilient. Security risk analysis is a paramount requirement of many information security standards and regulations.
What is risk management?
Information security and risk management go hand in hand. These processes address organizational IS risks that should be documented in the information security and risk management policy to implement an information security risk management program properly.
Information security risk management can be successfully implemented with an effective risk analysis process by using modern risk analysis techniques. Several international standards specify risk approaches, with ISO 27001, ISO 27005, ISO 31000, and BSI IT-Grundschutz as the preferred ones for creating and following an effective risk analysis model.
“Cybersecurity control failures was listed as the top emerging risk in the first quarter of 2021 in a global poll of 165 senior executives across function and geography – Gartner.”
What is risk analysis?
In IT-Grundschutz, security risk analysis refers to the complete process for determining (identifying, assessing, and evaluating) and treating risks. While in ISO standards ISO 31000 and ISO 27005, “risk analysis” only refers to a single step in the risk analysis system.
Risk analysis, according to IT-Grundschutz
According to IT-Grundschutz, commonly used IT components are called modules and include customizable lists of relevant threats and required controls at a relatively technical level.
IT-Grundschutz standard 200-3 provides a more straightforward methodology than traditional risk analysis methods for Qualitative risk analysis. Here are the basic steps in the risk analysis according to BSI Standard 200-2 performed with a risk analysis software Infopulse SCM.
Modeling: Preliminary work
The task of the modeling process is to identify which basic and standard security requirements have already been met and identify the gaps. You will create a list of the target objects for which a risk analysis should be carried out.
During this phase, you will evaluate the protection requirements of your assets and assign the levels “Normal,” “High,” and “Very high.”
Define if there are corresponding IT-Grundschutz modules to each target object and how they are to be applied.
The process of modeling can be automated with the Infopulse Standards Compliance Manager.
- Automatic assignment of IT-Grundschutz modules recommended requirements and controls;
- Monitoring of the implementation status of defined controls, requirements, assets;
- Bulk-editing of data, e.g., changing the realization status of requirements and controls for multiple assets;
- Assignment of people responsible for task realization and controlling;
- Data visualization from different perspectives using various options in a table view (e.g., grouping by IT-Systems with not implemented data backup requirements).
Each IT-Grundschutz module contains a list of typical threats classified in threat catalogs: there are 47 elementary threats which are listed in the IT- Grundschutz Compendium.
In the risk analysis tool, Infopulse SCM provides a detailed description of each threat, contained in a module:
- Adaptable catalog of threats specific to individual organization available in the Profile Library;
- Set of pre-defined catalog templates, e.g., threat Catalog from IT-Grundschutz Kompendium;
- Automated risk analysis for assets with very high and high protection requirements;
- Identification of threats and vulnerabilities and mapping to the related assets or processes;
- Available risk catalog based on BSI G0 list with 47 elementary threats;
- Possibility to create custom threats;
- Assigning additional controls to threats and their monitoring, plus the connected requirements.
The classification of risks provides an overview of the extent of the risks resulting from the threats for the respective target object.
Risk assessment refers to the threats and damage scenarios: Potential damage, probability, and risk category.
The BSI defines the risk matrix to illustrate the risk characterization adapted to the individual needs. The risk matrix includes the Risk categories (low, medium, high, very high) and frequency of occurrence.
In Infopulse SCM, you can work with the Risk matrix (4×4 or 5×5 dimension) to holistically view the threat probability and its impact on each asset and quickly identify those threats requiring urgent treatment.
After you have defined and assessed your risks, in this stage, you will select risk treatment options:
- Accept the risk;
- Mitigate the risk by reducing any risk found in physical, technical, or administrative systems or controls by taking action;
- Avoid the risk – remove any compromised assets;
- Transfer the risk – assign it to another party;
- Share the risk with third parties by assigning informational assets components or certain processing activities to external stakeholders.
Infopulse SCM will allow you to:
- Define Risk mitigation measures and map them to requirements and controls;
- Accept risks automatically;
- Bulk edit selected Threats;
- Set up deadlines of risk treatment;
- Assign additional controls to threats and monitor them, as well as the connected requirements.
Threats that have been identified as currently acceptable, but may increase in the future, require further action and are usually set for monitoring. Companies usually develop additional security controls to use in case the risks become unacceptable.
The detailed record of risk monitoring history for project risk management is available on the dashboards of Infopulse SCM.
The solution enables you to generate standard reports (A1-A6) according to IT-Grundschutz and provides a framework for covering industry-specific security standards (B3S) and IT-Grundschutz profiles.
Effective and easy-to-use IT security management system based on the latest standards and regulations — from planning and establishing the security concept to certification.