Risk management focuses on the future of your company and serves as a tool for identifying potential risks to information security. Measures are also defined to counter these risks. Even if not all eventualities can be mapped (see coronavirus pandemic), the principle of “to be prepared” applies. Risk management consists of risk identification, risk analysis, risk assessment, risk management and continuous risk monitoring.
Objective and scope of risk management
Opportunities and risks are constant companions of entrepreneurial activity and therefore the subject of management. Legal and regulatory requirements also demand the establishment and operation of a formal risk management system. However, this should be effective and efficient at the same time. Tool-supported corporate management, in which the handling of risks is defined, is therefore indispensable.
The risk management process is documented in the information security management system (ISMS for short) and can be accessed there if required. Roles, rights, functions and responsibilities are also defined in this system. A dedicated risk manager assumes the control function. This role often coincides with the Information Security Officer (ISO). The risk manager’s task is to continuously record, monitor and evaluate risks and to manage any measures to prevent or manage these risks.
In doing so, the risk manager is by no means alone, but is also obliged to involve the relevant specialists in the risk process. In practice, risks do not arise in risk management itself, but in the company’s primary and secondary value creation processes. And these processes are the responsibility of managers and employees. This means that employees are the risk owners and experts for each individual risk. The risk manager and risk management have the task of uncovering these risks and making them transparent for the company so that the decisive measures for the risks can be taken even in complex corporate structures. In this respect, risk management is a living process that is subject to constant change within the company.
Company information is protected as part of information security management. The availability, integrity and confidentiality of information must be guaranteed.
Risk management has the following objectives:
- Identification of your information-related risks.
- Identification and assessment of your weak points.
- Determination of your information-relevant company assets and their owners.
- Evaluation of risks according to comprehensible criteria.
- Setting up measures to reduce your risks.
- Pandemic (COVID-19)Decision-making on the priority of your risk treatment and your implementation of measures based on the proposed measures.
- Documentation and communication of your relevant risks.
Risk managhgement method
The handling of risks depends on the chosen risk management method. In Germany, BSI Standard 200-3 is a quasi-standard for risk management. Another widely used method is ISO 27005, but for effective and efficient risk management, the company’s requirements must be examined individually. Legal requirements, contractual obligations or other requirements vary from company to company and from sector to sector. The level of requirements is also not the same for every company. A good example of this is financial service providers with their special requirements under MaRisk.
Risk identification
In practice, risk management begins with the systematic recording of relevant risks and thus risk identification. To this end, all relevant processes, applications, systems, networks and locations are first recorded. These recorded objects are assets and represent the values of the company. Hierarchies and dependencies may exist between them. It is obvious that in many cases the mobile device of a managing director or administrator poses a greater threat to the company in the event of a compromise than the device of a temporary worker. Although the vulnerability is the same. In addition, managing directors can work at different locations and therefore have more dependencies than a temporary worker at a specific location.
The following information security risks should be considered:
Confidentiality: property that information is not made available or revealed to unauthorized persons, units or processes.
Availability: Property of an asset to be accessible and usable by a unit on request.
Integrity: Property of ensuring the correctness and completeness of values. In particular, this includes the property that information is not changed without authorization.
The aim is to record all of the company’s relevant assets and group them into specific classes for efficient further processing. For example, it does not make sense to record each laptop individually, but rather to form groups of similar laptops in terms of threat and vulnerability. In addition, responsible persons, so-called risk owners, must be defined.
Risk analysis and assessment
In the risk analysis, the assets are examined, the risks are assessed and measures are defined. An existing risk or hazard catalog, e.g. from the BSI’s IT baseline protection, is often used. This makes the work easier and, as a framework, offers the security of thinking about everything in a structured way.
The risk assessment enables the identified risks to be weighted and evaluated according to probability of occurrence and level of damage. The subsequent classification of the risk into the corresponding risk class of low, medium, high or very high concludes the risk assessment.
Risk treatment
Risk treatment follows the obvious fact that an assessment does not prevent a risk or overcome it if it occurs. Risks must be treated appropriately according to their assessment. As part of risk treatment, risks can be avoided, reduced, transferred or accepted.
For example, a mobile device can be stolen or infected with malware by an attacker. In this respect, malware represents a threat that must be assessed as an information risk and affects integrity. Possible measures include the exclusion of certain device types, a usage policy or the use of an anti-malware solution. In this respect, the risk class here is classified as low.
The risk owners can vary depending on the measure. The time of implementation and the implementation status must be recorded and monitored.
Result
It is clear that risk management is a complex process that affects the entire company in terms of its processes, assets and people. It is also a continuous process that requires constant searching for risks, documenting and evaluating them and scrutinizing the treatment methods. Audits ensure the quality of risk management and help to raise risk awareness within the company at all levels.
Tool-based risk management
Many companies use Excel for their risk management. A cost-effective solution at first glance, but one that quickly reaches its natural limits due to the complexity, constant change and criticality of the topic. As a result, risk management often becomes a data tomb and the special science of the Excel wallpaper manufacturer.
As a governance risk and compliance platform, GRASP offers an integrated solution for risk management. The advantages are obvious:
Processes and workflows are based on established norms and standards (e.g. BSI, DIN ISO, professional associations) as well as their guidelines and recommendations. As a result, they are limited to what is essential and necessary and no unnecessary complexity is created. Risk management remains targeted.
Once data has been recorded, it can be used again and again for other management systems (DSM, BCM etc.). Clients, rights and roles regulate responsibilities and enable targeted control and distribution of critical information within the company. Specialists can perform their risk management tasks in the best possible way, while supplying employees or reporting managers only need to see the information they require. This means that everyone receives the right amount and quality of information. Login is via single sign-on. In addition to other measures, multi-factor authentication ensures the necessary security of the software itself. Even in the event of an IT failure, availability can be ensured by self-sufficient systems.
Risk management is alive and therefore subject to constant change. Workflows make it easy to automate, plan and set reminders so that nothing is forgotten and usage is as convenient as possible.
Dashboards and reports enable simple reporting for internal and external auditors as well as top management.
