Purpose of the risk management module
A prioritized risk list can be prepared through detailed risk analysis steps, which can be managed continuously together with the risk management plan, thus establishing a risk-proportionate protection and its maintenance. Up-to-date reports can be generated of the process and current state of risk analysis.
The risk analysis module of SeCube can be customized to the specific needs of the client and constitutes a software component that can be parameterized on a wide scale. A fundamental requirement against the module was a working risk analysis methodology and the customizability of its parameters. This enables the software to take into consideration the features of the Client, either requirements set by a parent company or legal regulations. The selected configuration defines the level of detail in the risk analysis. The software is capable of supporting analyses with large numbers of operations.
The methodology behind the risk analysis module is based on KÜRT’s method traditionally used for large numbers of clients as well as information security recommendations and standards. Its pillars are the vulnerability check of resources and the analysis of business impacts, and their results are used to calculate risk values. The concepts and terminology used in the course of risk analysis, and the interpretation of risks correspond to standards ISO27001 and ISO27005. Through risk analysis, links between resource vulnerability and potential threats can get highlighted, along with the business impacts arising from their possible common occurrence, in the meantime observing the existing security measures. At the same time, the above procedure relies on simple, yet regulated steps analyzing the cause and effect relations.
The risk analysis can be carried out periodically or continuously according to the needs of the organization. The scope of risk analysis can be flexibly adjusted as regards threats and/or resources, so full-scale or partial (ad hoc) risk analyses can be performed as well, or other partial areas, not only IT, but physical security, the safety of human resources and data privacy can also be taken into assessment. The structure of the SeCube framework enables running fully independent risk analyses, hence the software functionality can be used by different organizational units independent of each other, with different parameters.
Properties of analysis:
- Expandable basic threat and vulnerability registry based on ISO and NIST standards, supplemented with experience benchmark data, made possible by our references and in-depth experience in risk analysis.
- Methodology, parameters and operating logic that can be customized according to the operating environment of the Client.
- Vulnerability assessment can be supported with vulnerability questionnaires.
- Status spread and impact tracking based on cause and effect graph. The status change of dependent resources can be followed starting from the entry of threats to the status change in resources causing business damages, using graphic graph models.
- Besides basic information security event impact directions (CIA damage), the software can work on other status changes as well (e.g. deterioration in quality, drop in capacity, etc.).
- In the course of damage impact analysis various financial and immaterial (e.g. legal compliance, loss of reputation) evaluation aspects can be created and used.
- As a result of the analysis, a prioritized risk list is prepared that can be analyzed according to various evaluation aspects (e.g. most important security measures, most frequent causes of vulnerability, most threatened resources, etc.), and a detailed textual MS Word Report can be generated.
- The system provides automatic textual evaluation and cause and effect graphic graph diagram of individual risks, which can be used to trace back parameters of certain risks and with its help risks can be easily revised.
- The risk management results define the order in which it is practical to take measures to mitigate individual risks. As regards each risk, a risk management decision can be made, and risk management measures can be defined depending on this decision, then the state of implementation can be monitored. Certain risk management measures can be planned in detail by taking into consideration the human and financial expenses. The implementation of risk management measures can be monitored in real time. Thus, reports on the initial state, current risk management status and achievable future status can be prepared and compared.
Results of risk management
- Prioritized risks list with analysis reports
- Graphic reports on status at the moment of analysis as well as on the current and desired status
- Textual MS Word risk management report document
- Risk management plan
- Partial results and analysis steps can be exported during the analysis