Menu
homeBios

Security risk management. How to set information security goals? How information security is violated by technical methods of influence

When implementing an information security management system (ISMS) in an organization, one of the main stumbling points is usually the risk management system. Discussions about information security risk management are akin to the UFO problem. On the one hand, no one around seemed to have seen this and the event itself seems unlikely, on the other hand there is a lot of evidence, hundreds of books have been written, there are even corresponding scientific disciplines and associations of pundits involved in this research process and, as usual, the intelligence services have special secret knowledge in this area.

Alexander Astakhov, CISA, 2006

Introduction

There is no consensus among information security specialists on risk management issues. Someone denies quantitative methods of risk assessment, someone denies qualitative methods, someone generally denies the feasibility and the very possibility of risk assessment, someone accuses the organization's management of insufficient awareness of the importance of safety issues or complains about the difficulties associated with obtaining an objective assessment of value certain assets, such as the organization's reputation. Others, not seeing the possibility of justifying the costs of safety, propose treating this as some kind of hygienic procedure and spending as much money on this procedure as is not a pity, or as much as is left in the budget.

Whatever opinions exist on the issue of information security risk management and no matter how we treat these risks, one thing is clear that in this issue lies the essence of the multifaceted activity of information security specialists, directly connecting it with business, giving it reasonable meaning and expediency. This article outlines one possible approach to risk management and answers the question of why different organizations view and manage information security risks differently.

Fixed and auxiliary assets

When we talk about business risks, we mean the possibility of suffering certain damage with a certain probability. This can be either direct material damage or indirect damage, expressed, for example, in lost profits, up to exit from the business, because if the risk is not managed, then the business can be lost.

Actually, the essence of the issue is that the organization has and uses several main categories of resources to achieve the results of its activities (its business goals) (hereinafter we will use the concept of an asset directly related to business). An asset is anything that has value for an organization and generates its income (in other words, it is something that creates a positive financial flow or saves money)

There are material, financial, human and information assets. Modern international standards also define another category of assets – processes. A process is an aggregated asset that operates all other company assets to achieve business goals. The company's image and reputation are also considered one of the most important assets. These key assets for any organization, are nothing more than a special type of information assets, since the image and reputation of a company is nothing more than the content of open and widely disseminated information about it. Information security deals with image issues insofar as problems with the security of the organization, as well as leaks confidential information extremely negatively affect the image.

Business results are influenced by various external and internal factors belonging to the risk category. This influence is expressed in a negative impact on one or simultaneously several groups of assets of the organization. For example, a server failure affects the availability of information and applications stored on it, and its repair diverts human resources, creating a shortage certain area work and causing disorganization of business processes, while the temporary unavailability of client services can negatively affect the company's image.

By definition, all types of assets are important to an organization. However, every organization has core vital assets and supporting assets. It is very easy to determine which assets are the main ones, because... These are the assets around which the organization's business is built. Thus, an organization's business may be based on the possession and use of tangible assets(for example, land, real estate, equipment, minerals), a business can also be built on the management of financial assets (credit activities, insurance, investing), a business can be based on the competence and authority of specific specialists (consulting, audit, training, high-tech and knowledge-intensive industries) or a business can revolve around information assets (software development, information products, e-commerce, business on the Internet). The risks of fixed assets are fraught with loss of business and irreparable losses for the organization, therefore, the attention of business owners is primarily focused on these risks and the management of the organization deals with them personally. Risks to supporting assets typically result in recoverable damage and are not a major priority in the organization's management system. Typically, such risks are managed by specially appointed people, or these risks are transferred to a third party, for example, an outsourcer or an insurance company. For an organization, this is more a matter of management efficiency than survival.

Existing approaches to risk management

Since information security risks are not the main ones for all organizations, three main approaches to managing these risks are practiced, differing in depth and level of formalism.

For non-critical systems, when information assets are auxiliary and the level of informatization is not high, which is typical for most modern Russian companies, there is a minimal need for risk assessment. In such organizations, we should talk about some basic level of information security, determined by existing regulations and standards, best practices, experience, as well as how this is done in most other organizations. However, existing standards, describing some basic set requirements and security mechanisms always stipulate the need to assess the risks and economic feasibility of using certain control mechanisms in order to select from a general set of requirements and mechanisms those that are applicable in a particular organization.

For critical systems in which information assets are not the main ones, but the level of informatization of business processes is very high and information risks can significantly affect the main business processes, risk assessment must be applied, but in in this case It is advisable to limit ourselves to informal qualitative approaches to solving this problem, paying special attention to the most critical systems.

When an organization’s business is built around information assets and information security risks are the main ones, a formal approach and quantitative methods must be used to assess these risks.

In many companies, several types of assets can be vital at the same time, for example, when the business is diversified or the company is engaged in the creation of information products and both human and information resources can be equally important for it. In this case, the rational approach is to conduct a high-level risk assessment to determine which systems are highly exposed to risk and which are critical to business operations, followed by a detailed risk assessment of the identified systems. For all other non-critical systems, it is advisable to limit yourself to using a basic approach, making risk management decisions based on existing experience, expert opinions and best practice.

Levels of maturity

The choice of approach to risk assessment in an organization, in addition to the nature of its business and the level of informatization of business processes, is also influenced by its level of maturity. Information security risk management is a business task initiated by the organization’s management due to their awareness and degree of awareness of information security problems, the meaning of which is to protect the business from real existing threats IB. According to the degree of awareness, several levels of maturity of organizations can be traced, which to a certain extent correlate with the maturity levels defined in COBIT and other standards:

  1. At the initial level, there is no awareness as such; the organization takes fragmented measures to ensure information security, initiated and implemented by IT specialists under their own responsibility.
  2. At the second level, the organization defines responsibility for information security; attempts are made to use integrated solutions with centralized management and implement separate information security management processes.
  3. The third level is characterized by the application of a process approach to information security management described in the standards. The information security management system becomes so important for the organization that it is considered as a necessary component of the organization's management system. However full-fledged system IS management does not yet exist, because absent base element of this system are risk management processes.
  4. Organizations with the highest degree of awareness of information security problems are characterized by the use of a formalized approach to information security risk management, characterized by the presence of documented processes for planning, implementation, monitoring and improvement.

Risk management process model

In March this year, a new British standard, BS 7799 Part 3 – Information security management systems - Information security risk management practice, was adopted. ISO expects that this document will be approved as an International Standard by the end of 2007. BS 7799-3 defines risk assessment and management processes as an integral element of an organization's management system, using the same process model as other management standards, which includes four process groups: plan, do, review, act (PDA), which reflects standard cycle of any management processes. While ISO 27001 describes the overall end-to-end security management cycle, BS 7799-3 extends it to information security risk management processes.

In the information security risk management system, at the Planning stage, the policy and methodology for risk management are determined, and a risk assessment is performed, which includes an inventory of assets, compilation of threat and vulnerability profiles, assessment of the effectiveness of countermeasures and potential damage, and determination of the acceptable level of residual risks.

At the Implementation stage, risks are processed and control mechanisms are introduced to minimize them. The organization's management makes one of four decisions for each identified risk: ignore, avoid, transfer to an external party, or minimize. After this, a risk treatment plan is developed and implemented.

At the Verification stage, the functioning of control mechanisms is monitored, changes in risk factors (assets, threats, vulnerabilities) are monitored, audits are conducted and various control procedures are performed.

At the Action stage, based on the results of continuous monitoring and ongoing audits, the necessary corrective actions are carried out, which may include, in particular, a reassessment of the magnitude of risks, adjustments to the risk management policy and methodology, as well as the risk treatment plan.

Risk factors

The essence of any risk management approach is to analyze risk factors and make adequate decisions to treat risks. Risk factors are the main parameters that we use when assessing risks. There are only seven such parameters:

  • Asset
  • Damage (Loss)
  • Threat
  • Vulnerability
  • Control mechanism
  • Average annual loss (ALE)
  • Return on Investment (ROI)

How these parameters are analyzed and assessed is determined by the risk assessment methodology used in the organization. At the same time, the general approach and pattern of reasoning are approximately the same, no matter what methodology is used. The risk assessment process includes two phases. In the first phase, which is defined in the standards as risk analysis, it is necessary to answer the following questions:

  • What is the company's main asset?
  • What is the real value of this asset?
  • What threats exist to this asset?
  • What are the consequences of these threats and the damage to the business?
  • How likely are these threats?
  • How vulnerable is the business to these threats?
  • What is the expected average annual loss?

In the second phase, which is defined by the standards as risk assessment, it is necessary to answer the question: What level of risk (the amount of average annual losses) is acceptable for the organization and, based on this, what risks exceed this level.

Thus, based on the results of the risk assessment, we obtain a description of the risks exceeding the acceptable level and an assessment of the magnitude of these risks, which is determined by the size of the average annual losses. Next, you need to make a decision on risk treatment, i.e. answer the following questions:

  • Which risk treatment option do we choose?
  • If a decision is made to minimize risk, what control mechanisms should be used?
  • How effective are these controls and what return on investment will they provide?

At the exit this process A risk treatment plan appears, defining how risks are treated, the cost of countermeasures, as well as the timing and responsibility for implementing countermeasures.

Deciding on Risk Treatment

Making a decision on risk treatment is the key and most critical moment in the risk management process. In order for management to make the right decision, the person responsible for risk management in the organization must provide him with relevant information. The form of presentation of such information is determined by the standard business communication algorithm, which includes four main points:

  • Problem reporting: What is the threat to the business (source, object, method of implementation) and what is the reason for its existence?
  • Severity of the problem: How does this threaten the organization, its management and shareholders?
  • Proposed solution: What is proposed to be done to correct the situation, how much will it cost, who should do it, and what is required directly from management?
  • Alternative solutions: What other ways to solve the problem exist (there are always alternatives and management should have the opportunity to choose).

Points 1 and 2, as well as 3 and 4 may be interchanged, depending on the specific situation.

Risk management methods

There are a sufficient number of well-proven and widely used risk assessment and management methods. One such method is OCTAVE, developed at Carnegie Melon University for internal use in organizations. OCTAVE – Operationally Critical Threat, Asset, and Vulnerability Evaluation (Operationally Critical Threat, Asset, and Vulnerability Evaluation) has a number of modifications designed for organizations different sizes and areas of activity. The essence of this method is that a sequence of appropriately organized internal workshops is used to assess risks. Risk assessment is carried out in three stages, which are preceded by a set of preparatory activities, including agreeing on the schedule of workshops, assigning roles, planning, and coordinating the actions of project team members.

At the first stage, during practical workshops, threat profiles are developed, including an inventory and assessment of the value of assets, identification of applicable legal and regulatory requirements, identification of threats and assessment of their likelihood, as well as determination of a system of organizational measures to maintain the information security regime.

At the second stage, a technical analysis of vulnerabilities is carried out information systems organizations in relation to threats, whose profiles were developed at the previous stage, which includes the identification of existing vulnerabilities of the organization’s information systems and an assessment of their magnitude.

At the third stage, information security risks are assessed and processed, which includes determining the magnitude and likelihood of causing damage as a result of security threats using vulnerabilities that were identified in the previous stages, determining a protection strategy, as well as selecting options and making decisions on risk treatment. The magnitude of the risk is defined as the average annual loss of the organization as a result of the implementation of security threats.

A similar approach is used in the well-known CRAMM risk assessment method, developed at one time by order of the British government. CRAMM's primary method of risk assessment is through carefully planned interviews using detailed questionnaires. CRAMM is used in thousands of organizations around the world, thanks, among other things, to the availability of highly developed software tools that contain a knowledge base on risks and mechanisms for minimizing them, tools for collecting information, generating reports, and also implementing algorithms for calculating the magnitude of risks.

Unlike the OCTAVE method, CRAMM uses a slightly different sequence of actions and methods for determining the magnitude of risks. First, the feasibility of assessing risks in general is determined, and if the organization’s information system is not critical enough, then a standard set of control mechanisms described in international standards and contained in the CRAMM knowledge base will be applied to it.

At the first stage, the CRAMM method builds a model of information system resources that describes the relationships between information, software and technical resources, and also evaluates the value of resources based on the possible damage that an organization may suffer as a result of their compromise.

At the second stage, a risk assessment is carried out, which includes identifying and assessing the likelihood of threats, assessing the magnitude of vulnerabilities and calculating risks for each triple: resource - threat - vulnerability. CRAMM evaluates “pure” risks, regardless of the control mechanisms implemented in the system. At the risk assessment stage, it is assumed that no countermeasures are applied at all, and a set of recommended countermeasures to minimize risks is formed based on this assumption.

On final stage The CRAMM toolkit generates a set of countermeasures to minimize identified risks and compares recommended and existing countermeasures, after which a risk treatment plan is generated.

Risk Management Toolkit

In the process of risk assessment, we go through a number of successive stages, periodically rolling back to previous stages, for example, re-evaluating a certain risk after choosing a specific countermeasure to minimize it. At each stage, it is necessary to have on hand questionnaires, lists of threats and vulnerabilities, registers of resources and risks, documentation, minutes of meetings, standards and guidelines. In this regard, we need some kind of programmed algorithm, database and interface to work with these various data.

To manage information security risks, you can use tools, for example, as in the CRAMM method, or RA2 (shown in the figure), but this is not mandatory. The BS 7799-3 standard says much the same. The usefulness of using the toolkit may lie in the fact that it contains a programmed algorithm for the risk assessment and risk management workflow, which simplifies the work for an inexperienced specialist.

The use of tools allows you to unify the methodology and simplify the use of results to reassess risks, even if it is performed by other specialists. Thanks to the use of tools, it is possible to streamline data storage and work with resource models, threat profiles, lists of vulnerabilities and risks.

In addition to the risk assessment and management tools themselves, the software tools may also contain additional tools for documenting the ISMS, analyzing discrepancies with standard requirements, developing a resource register, as well as other tools necessary for the implementation and operation of the ISMS.

conclusions

The choice of qualitative or quantitative approaches to risk assessment is determined by the nature of the organization’s business and the level of its informatization, i.e. the importance of information assets to him, as well as the level of maturity of the organization.

When implementing a formal approach to risk management in an organization, it is necessary to rely primarily on common sense, existing standards (eg BS 7799-3) and well-established methodologies (eg OCTAVE or CRAMM). It may be useful to use software tools for these purposes that implement the appropriate methodologies and meet the requirements of the standards to the maximum extent possible (for example, RA2).

The effectiveness of the information security risk management process is determined by the accuracy and completeness of the analysis and assessment of risk factors, as well as the effectiveness of the mechanisms used in the organization for making management decisions and monitoring their implementation.

Links

  • Astakhov A.M., “History of the BS 7799 standard”, http://www.globaltrust.ru/shop/osnov.php?idstat=61&idcatstat=12
  • Astakhov A.M., “How to build and certify an information security management system?”,

One of the most important aspects of the implementation of information security policy is the analysis of threats, assessment of their reliability and the severity of the likely consequences. In reality, risk appears where there is a probability of a threat occurring, and the magnitude of the risk is directly proportional to the magnitude of this probability (Fig. 4.11).

The essence of risk management activities is to assess their size, develop mitigation measures and create a mechanism to ensure that residual risks do not exceed acceptable limits. Thus, risk management involves two activities: risk assessment and the selection of effective and cost-effective protective and regulatory mechanisms. The risk management process can be divided into the following stages [Galatenko V. A., 2006]:

  • identification of assets and resource values ​​in need of protection;
  • selection of analyzed objects and the degree of detail of their consideration;
  • analysis of threats and their consequences, identification of weaknesses in protection;
  • classification of risks, selection of risk assessment methodology and assessment;
  • selection, implementation and testing of protective measures;
  • residual risk assessment.

Rice. 4.11. Uncertainty as the basis for risk formation

The information security policy includes the development of a strategy for managing risks of different classes.

A short list of the most common threats was given above (see clause 17.2). It is advisable to identify not only the threats themselves, but also the sources of their occurrence - this will help to correctly assess the risk and select appropriate neutralization measures. For example, logging into a system illegally increases the risk of password guessing or an unauthorized user or equipment connecting to the network.

It is obvious that to counter each method of illegal entry, its own security mechanisms are needed. After identifying a threat, it is necessary to assess the likelihood of its implementation and the extent of potential damage.

When assessing the severity of the damage, it is necessary to keep in mind not only the immediate costs of replacing equipment or restoring information, but also more distant ones, in particular, undermining the company’s reputation, weakening its position in the market, etc.

After identifying and analyzing threats and their possible consequences, there are several approaches to management: risk assessment, risk reduction, risk avoidance, changing the nature of risk, risk acceptance, development of corrective measures (Fig. 4.12).

Rice. 4.12. Risk Management Framework

When identifying assets and information resources—those values ​​that need to be protected—one should consider not only the components of the information system, but also the supporting infrastructure, personnel, and intangible assets, including the current rating and reputation of the company. However, one of the main results of the asset identification process is obtaining detailed information structure organization and ways of using it.


The selection of analyzed objects and the degree of detail of their consideration is the next step in risk assessment. For a small organization, it is acceptable to consider the entire information infrastructure, for a large one, you should focus on the most important (critical) services. If important services many, then those are selected whose risks are obviously high or unknown. If the information basis of the organization is a local network, then the number of hardware objects should include computers, peripherals, external interfaces, cable management and active network equipment.

Software objects include operating systems (network, server and client), application software, tools, programs for managing the network and individual subsystems. It is important to record in which network nodes the software is stored, where and how it is used. The third type information objects is data that is stored, processed and transmitted over the network. Data should be classified by type and degree of confidentiality, where it is stored and processed, and how to access it should be identified. All this is important for assessing the risks and consequences of information security breaches.

Risk assessment is carried out on the basis of accumulated initial data and an assessment of the degree of certainty of threats. It is quite acceptable to use such a simple method as multiplying the probability of a threat occurring by the amount of expected damage. If we use a three-point scale for probability and damage, then there will be six possible products: 1, 2, 3, 4, 6 and 9. The first two results can be classified as low risk, the third and fourth - as medium, and the last two - as high. This scale can be used to assess the acceptability of risks.

If any risks are found to be unacceptably high, additional protective measures must be implemented. Several security mechanisms that are effective and inexpensive can be used to eliminate or reduce the weakness that makes a dangerous threat real. For example, if there is a high risk of illegal logins, you can enter long passwords, use a password generation program, or purchase an integrated smart card-based authentication system. If there is a possibility of intentional damage to servers for various purposes, which can have serious consequences, you can limit the physical access of personnel to server rooms and strengthen their security.

Risk assessment technology must combine formal metrics and the formation of real quantitative indicators for assessment. With their help, it is necessary to answer two questions: are the existing risks acceptable, and if not, then what protective equipment is economically profitable to use.

Rice. 4.13. Risk Assessment and Mitigation Framework

Risk reduction methodology. Many risks can be significantly reduced by using simple and inexpensive countermeasures. For example, competent (regulated) access control reduces the risk of unauthorized intrusion. Some classes of risks can be avoided - moving the organization's Web server outside the local network avoids the risk of unauthorized access to local network from Web clients. Some risks cannot be reduced to a small value, but after implementing a standard set of countermeasures they can be accepted, constantly monitoring the residual risk (Figure 4.13).

An assessment of the cost of protective measures should take into account not only the direct costs of purchasing equipment and/or software, but also the costs of introducing new products, training and retraining of personnel. This cost can be expressed on some scale and then compared with the difference between the calculated risk and the acceptable risk. If, according to this indicator, the remedy turns out to be economically profitable, it can be accepted for further consideration.

Rice. 4.14. Iterative risk management process

Control of residual risks is necessarily included in the current control of the information security system. When the planned measures have been taken, it is necessary to check their effectiveness - to ensure that the residual risks have become acceptable. In the event of a systematic increase in residual risks, it is necessary to analyze the mistakes made and immediately take corrective measures.

Risk management is a multi-stage iterative process (Figure 4.14).

Almost all of its stages are interconnected, and upon completion of almost any of them, the need to return to the previous one may become apparent. Thus, when identifying assets, an understanding may arise that the selected boundaries of analysis should be expanded and the degree of detail increased. Primary analysis is especially difficult when multiple returns to the beginning are inevitable. Risk management is a typical optimization problem; the fundamental difficulty lies in its competent formulation at the level of top management, the combination of optimal methods and description of initial data (Fig. 4.15).

Rice. 4.15. Formation of IT risk management activities

The Risk Assessment and Risk Management methodologies have become an integral part of activities in the field of Business Continuity and Information Security. The information security implementation program and sets of policies are based on a set of system actions and practical steps(Fig. 4.16-Fig. 4.19).

Rice. 4.16. Set of systemic actions and practical steps (1)

Rice. 4.17. Sets of systemic actions and practical steps (2)

Rice. 4.18. Sets of systemic actions and practical steps (3)

Rice. 4.19. Sets of systemic actions and practical steps (4)

More than a dozen different international standards and specifications have been prepared and are actively used, regulating in detail information risk management procedures: ISO 15408: 1999 (“Common Criteria for Information Technology Security Evaluation"), ISO 17799:2002 ("Code of Practice for Information Security Management"), NIST 80030, SAS 78/94, COBIT.

The RA Software Tool methodology and tool are based on the requirements of the international standards ISO 17999 and ISO 13335 (parts 3 and 4), as well as on the requirements of the British national institute standards (BSI) - PD 3002 ("Guide to risk assessment and management"), PD 3003 ("Assessing a company's readiness for audit in accordance with BS 7799"), PD 3005 ("Guide to the selection of a security system").

In practice, such risk management techniques allow you to:

  • create models of the company’s information assets from a security point of view;
  • classify and evaluate asset values;
  • compile lists of the most significant security threats and vulnerabilities;
  • rank security threats and vulnerabilities;
  • assess and manage risks;
  • develop corrective measures;
  • justify risk control means and measures;
  • evaluate effectiveness/cost various options protection;
  • formalize and automate risk assessment and management procedures.

Risk management includes a number of important stages, which are necessarily included in the planned work to ensure information security (Fig. 4.20).

Application of appropriate software allows you to reduce the labor intensity of risk analysis and selection of countermeasures. Currently, more than a dozen software products have been developed to analyze and manage risks at a basic level of security. An example is enough simple remedy is the BSS (Baseline Security Survey, UK) software package.

Higher-end software products: CRAMM (Insight Consulting Limited, UK), Risk Watch, COBRA (Consultative Objective and Bi-Functional Risk Analysis), Buddy System. The most popular of them is CRAMM (Complex Risk Analysis and Management Method), which implements a method of risk analysis and control. A significant advantage of the method is the ability to conduct a detailed study in a short time with full documentation of the results.

Rice. 4.20. Stages of risk management

Methods like CRAMM are based on an integrated approach to risk assessment, combining quantitative and qualitative analysis methods. The method is universal and suitable for both large and small organizations, both government and commercial sectors.

TO strengths The CRAMM method includes the following:

  • CRAMM is a well-structured and widely tested risk analysis method that produces real, practical results;
  • CRAMM software tools can be used at all stages of an IS security audit;
  • at the core software product there is a fairly large knowledge base on countermeasures in the field of information security, based on the recommendations of the BS 7799 standard;
  • the flexibility and versatility of the CRAMM method allows it to be used for auditing IP of any level of complexity and purpose;
  • CRAMM can be used as a tool to develop an organization's business continuity plan and information security policies;
  • CRAMM can be used as a means of documenting IS security mechanisms.

For commercial organizations there is a commercial profile of security standards (Commercial Profile), for government organizations - government (Government Profile). The government version of the profile also allows you to audit for compliance with the requirements of the American standard TCSEC ("Orange Book").

History has proven many times that stability, no matter how ideal and good it may seem at first glance, leads to degradation. Development is impossible without risk. Our whole life is made up of probabilities, assessments of possibilities and decisions that lead to success or failure. But a lot depends on us. Will the parachute jump end safely? Depends on whether it was laid correctly, whether you know the procedure for jumping, etc. Is the risk now zero? No, but through your actions you were able to significantly reduce it. In addition to individual risks, there are social, technological and many others. We will focus on information security risks and their management.

Anton Makarychev
Head of Information Security Department, Compulink Group of Companies

The ISO 31000:2009 risk management standard defines risk as the result of uncertainty about objectives, where outcome is a deviation from an intended outcome (positive or negative), and uncertainty is a state of insufficient information associated with understanding or knowledge of an event, its consequences or probability. Considering that most risks cannot be reduced to zero values, their management comes first both globally and locally. Unfortunately, in the case when action occurs before analysis (and this is precisely the situation that is typical for many Russian companies), the effectiveness measures taken is also left to chance. It's like using a chainsaw as an ax without bothering to read the instructions for use. That is why, before taking on information security risk management, you should understand the existing developments and standards in this area.


From general to specific

When considering risk management through an information security focus, it is helpful to have an understanding of the following documents:

  • international standard ISO 31000:2009;
  • the Committee of Sponsoring Organizations of the Treadway Commission Organizational Risk Management Framework (COSO ERM);
  • risk management standard of the Institute of Risk Management (IRM) of the Association for Risk Management and Insurance (AIRMIC), as well as the National Forum for Risk Management in the Public Sector of the UK.

Today, the informatization of society, coupled with the automation of processes, is developing so rapidly that ignoring the increasing risks in the field of information technology becomes unacceptable.

ISO 31000:2009 is the primary international standard for risk management for organizations and provides the basic definitions and principles that should guide an organization once it decides to implement a risk management system. This document can be used as a guide for the first steps, since it describes precisely risk management, that is, architecture.

More detailed instructions are contained in the Organizational Risk Management Framework of the Committee of Sponsoring Organizations of the Treadway Commission. In particular, in addition to the document itself, additional materials issued by the COSO Committee are of practical benefit:

  • ERM Risk Assessment in Practice (the practice of conducting risk assessments in the risk management system);
  • Enterprise Risk Management for C
  • oud Computing (risk management for cloud computing systems);
  • Enterprise Risk Management – ​​Understanding and Communicating Risk Appetite (understanding and communication of risk appetite in the risk management system);
  • Embracing Enterprise Risk Management: Practice
  • Approaches for Getting Started (practical approaches for starting the implementation of a risk management system), etc.

Their goal is a detailed disclosure of all aspects set out in the conceptual framework, which ultimately makes it possible to put the described principles on a practical basis.

However, it is worth mentioning one important nuance that can lead to some confusion when trying to combine the standards described above - differences in definitions. For example, the definition of “risk” in the ISO standard is the probability of both positive and negative consequences, in the COSO standard it is only the probability of a negative consequence, for a positive one there is a separate term - opportunity. Nevertheless, given the permanent development of the standard, it deserves the closest attention.

Another useful document is the risk management standard of the Institute of Risk Management (IRM) of the Association for Risk Management and Insurance (AIRMIC), as well as the National Forum for Risk Management in the Public Sector of the UK. Using ISO terminology as a basis, this standard reveals the risk management process in more detail (Fig. 2).


It will be extremely useful for small and medium-sized businesses, as it can act as a single and only document for implementation quality system risk management.

Thus, before moving on to specific issues of information security risk management, we can draw intermediate conclusions on the standards considered:

  • ISO 31000:2009 is suitable as a basis for any organization;
  • AIRMIC is practice-oriented and suitable as a core document for small and medium-sized businesses, as well as a starting point for large companies;
  • COSO ERM acts as the main document for the practical implementation of a risk management system in any organization, but initially gravitates towards large businesses.

Information Security Risk Management

Today, the informatization of society, coupled with the automation of processes, is developing so rapidly that ignoring the increasing risks in the field of information technology becomes unacceptable. Data center availability is measured in five and six nines, and failures in the information systems of large companies become global news.

As a result, organizations are creating separate departments for information security and IT risks, which are engaged in identifying and managing risks in this area.


Demand created supply. Thus, the international organization ISO has issued a standard for managing information security risks in an organization - ISO 27005:2008 "Information technology - security techniques - information security risk management." However, besides it, there are other equally useful documents, for example:

  • working environment for managing IT risks (The Risk IT Framework) and instructions for use for IT risks (The Risk IT Practitioner Guide), based on the Cobit standard of the ISACA organization;
  • author's methodology for information systems risk management by Ken Jaworski.

Let's look at each of them in more detail.

ISO 27005:2008 defines information security risk as the likelihood that a given threat will exploit the vulnerabilities of an asset or group of assets and thereby cause harm to an organization.

In accordance with the standard, the information security risk management process allows you to organize the following:

  • risk identification;
  • assessing risks in terms of business consequences and likelihood of their occurrence;
  • communication and awareness of the likelihood and consequences of risks;
  • establishing an order of priorities for risk treatment;
  • prioritizing actions to reduce the likelihood of risks;
  • involving stakeholders in the risk management decision-making process and communicating the status of the risk management process;
  • monitoring the effectiveness of risk treatment;
  • regularly monitor and review risks and the risk management process;
  • identifying information to improve the risk management approach;
  • training managers and employees on risks and actions to reduce them.

There is some progress in the field of information security risk management, allowing interested professionals to move from theoretical descriptions to practical actions. Thus, the international standard ISO 27005:2008 serves as a theoretical starting point, from which the further practical path, despite an individual approach for each organization, can be effectively implemented using at least two methods.

It is noteworthy that the information security risk management process diagram is identical to the 31000 standard diagram presented earlier, which further confirms the same approach to risk management in the ISO series of standards. The standard is theoretical in nature, but will be useful as a basis for further implementation of a risk management system.

The Risk IT Framework, based on the ISACA Cobit standard, includes a theoretical framework, instructions for use - methodology and practical examples.

This document defines IT risk as business risk, specifically business risk associated with the use, ownership, operation, involvement, influence or adaptation of IT in an organization.

The process model of this environment consists of three domains:

  • risk management (Risk Governance);
  • Risk Evaluation;
  • Risk Response.

This three-domain model is thoroughly dissected in the paper. All the necessary definitions are given, the role model for the listed processes is analyzed, as well as the implementation procedure.

Instructions for use for IT risks (The Risk IT Practitioner Guide) is a logical continuation working environment oriented towards the practical implementation of the three-domain model in the organization. The document presents required templates, tables and other documents that can be modified as needed and used in your organization's risk management system. A description of the best practices for implementing IT risk systems is also given.

Ken Jaworski's information systems risk management methodology is based on the ISO standard and focuses on the practical aspects of implementing a risk management system, and also contains the necessary templates and methods for calculating the impact of risks on the organization's activities.

To summarize, we can conclude that in the field of information security risk management there is some progress that allows interested specialists to move from theoretical descriptions to practical actions. Thus, the international standard ISO 27005:2008 serves as a theoretical starting point, from which the further practical path, despite an individual approach for each organization, can be effectively implemented using at least two methods.

Conclusion

The risk management system as part of corporate governance is already showing its effectiveness in those companies in which it is beginning to be implemented or has already been implemented. Due to the crisis in the global economy, this moment can be expected to spread in the future similar systems and in the public sector. This is possible even today, since there are already standards and other documents on the risk management system that make it possible to implement this system qualitatively and in a relatively short time. The fundamental point is the fact that, in addition to “general” documents, there are industry standards for risk management, in particular IT/IS risk management. However, given the specifics of the Russian economy, many organizations rely more on state support or so-called administrative resources, paying insufficient attention to the system of corporate governance and risk management in particular. As a result, in our country there is an increasing predisposition to larger bankruptcies than in the United States. But inaction is unlikely to help resolve the problem.

In practice, quantitative and qualitative approaches to assessing information security risks are used. What's the difference?

Quantitative method

Quantitative risk assessment is used in situations where the threats being studied and the risks associated with them can be compared with final quantitative values ​​expressed in money, interest, time, human resources, etc. The method allows you to obtain specific values ​​of risk assessment objects when information security threats are realized.

In the quantitative approach, all elements of the risk assessment are assigned specific and realistic quantitative values. The algorithm for obtaining these values ​​should be clear and understandable. The object of assessment may be the value of the asset in monetary terms, the likelihood of the threat being realized, the damage from the threat, the cost of protective measures, etc.

How to quantitatively assess risks?

1. Determine the value of information assets in monetary terms.

2. Assess in quantitative terms the potential damage from the implementation of each threat in relation to each information asset.

It is necessary to obtain answers to the questions “What part of the value of the asset will be the damage from the implementation of each threat?”, “What is the cost of damage in monetary terms from a single incident during the implementation of this threat to this asset?”

3. Determine the probability of implementation of each of the information security threats.

To do this, you can use statistical data, surveys of employees and stakeholders. In the process of determining the probability, calculate the frequency of incidents associated with the implementation of the considered information security threat over the control period (for example, one year).

4. Determine the total potential damage from each threat in relation to each asset over the control period (one year).

The value is calculated by multiplying the one-time damage from the threat by the frequency of the threat.

5. Analyze the received damage data for each threat.

For each threat, a decision must be made: accept the risk, reduce the risk, or transfer the risk.

Accepting a risk means recognizing it, coming to terms with its possibility, and continuing to act as before. Applicable for threats with low damage and low probability of occurrence.

Reducing risk means introducing additional measures and protective equipment, training staff, etc. That is, carrying out deliberate work to reduce risk. At the same time, it is necessary to quantitatively assess the effectiveness of additional measures and means of protection. All costs incurred by the organization, from the purchase of protective equipment to commissioning (including installation, configuration, training, maintenance, etc.), should not exceed the amount of damage from the threat.

To transfer risk means to shift the consequences of the risk to a third party, for example, through insurance.

As a result of quantitative risk assessment, the following should be determined:

  • the value of assets in monetary terms;
  • a complete list of all information security threats with damage from a single incident for each threat;
  • frequency of implementation of each threat;
  • potential damage from each threat;
  • Recommended security measures, countermeasures, and actions for each threat.

Quantitative information security risk analysis (example)

Let's consider the technique using the example of an organization's web server, which is used to sell a certain product. Quantitative one-time the damage from a server failure can be estimated as the product of the average purchase receipt and the average number of requests for a certain time interval, equal to the server downtime. Let’s say the cost of one-time damage from a direct server failure will be 100 thousand rubles.

Now it is necessary to evaluate by expert means how often such a situation may arise (taking into account the intensity of operation, quality of power supply, etc.). For example, taking into account expert opinion and statistical information, we understand that the server can fail up to 2 times a year.

Multiplying these two quantities, we get that average annual the damage from the threat of direct server failure amounts to 200 thousand rubles per year.

These calculations can be used to justify the choice of protective measures. For example, implementing a system uninterruptible power supply and systems Reserve copy with a total cost of 100 thousand rubles per year will minimize the risk of server failure and will be a completely effective solution.

Qualitative method

Unfortunately, it is not always possible to obtain a specific expression of the object of evaluation due to great uncertainty. How to accurately assess the damage to a company’s reputation when information about an information security incident appears? In this case, a qualitative method is used.

The qualitative approach does not use quantitative or monetary expressions for the object being assessed. Instead, the object of assessment is assigned an indicator ranked on a three-point (low, medium, high), five-point or ten-point scale (0... 10). To collect data for qualitative risk assessment, surveys of target groups, interviews, questionnaires, and personal meetings are used.

Information security risk analysis using a qualitative method should be carried out with the involvement of employees with experience and competence in the area in which the threats are considered.

How to conduct a good risk assessment:

1. Determine the value of information assets.

The value of an asset can be determined by the level of criticality (consequences) if the security characteristics (confidentiality, integrity, availability) of an information asset are violated.

2. Determine the likelihood of a threat occurring in relation to an information asset.

To assess the likelihood of a threat being realized, a three-level qualitative scale (low, medium, high) can be used.

3. Determine the level of opportunity successful implementation threats taking into account the current state of information security, implemented measures and means of protection.

To assess the level of possibility of a threat being realized, a three-level qualitative scale (low, medium, high) can also be used. The threat feasibility value indicates how feasible it is to successfully carry out the threat.

4. Draw a conclusion about the level of risk based on the value of the information asset, the likelihood of the threat being realized, and the possibility of the threat being realized.

To determine the level of risk, you can use a five-point or ten-point scale. When determining the level of risk, you can use reference tables that provide an understanding of what combinations of indicators (value, probability, opportunity) lead to what level of risk.

5. Analyze the data obtained for each threat and the risk level obtained for it.

Often the risk analysis team uses the concept of “acceptable level of risk.” This is the level of risk that the company is willing to accept (if the threat has a risk level less than or equal to acceptable, then it is not considered relevant). The global task in a qualitative assessment is to reduce risks to an acceptable level.

6. Develop security measures, countermeasures and actions for each current threat to reduce the level of risk.

Which method should you choose?

The goal of both methods is to understand the real risks of a company’s information security, determine a list of current threats, and select effective countermeasures and means of protection. Each risk assessment method has its own advantages and disadvantages.

The quantitative method gives visual representation in money for the objects of assessment (damage, costs), however, it is more labor-intensive and in some cases inapplicable.

The qualitative method allows for a faster risk assessment, but the assessments and results are more subjective and do not provide a clear understanding of the damage, costs and benefits of implementing information security.

The choice of method should be made based on the specifics of a particular company and the tasks assigned to the specialist.

Stanislav Shilyaev, information security project manager at SKB Kontur

Information security risk (information security risk)- “the possibility that a given threat will be able to exploit the vulnerability of an asset or group of assets and thereby cause damage to the organization.”

In accordance with GOST R 51897-2011 “Risk management. Terms and definitions" and the international standard ISO 27001-2013 "Information security management system" - the risk management process is a coordinated effort to manage and control an organization with respect to information security risk. Risk management includes risk assessment, risk treatment, risk acceptance and risk communication.

The purpose of the risk assessment process is to determine the characteristics of risks in relation to the information system and its resources (assets). Based on the data obtained, they can be selected necessary funds protection. When assessing risks, many factors are taken into account: the value of resources, assessments of the significance of threats and vulnerabilities, the effectiveness of existing and planned protection measures, and much more.

Basic level of security (baseline security)- mandatory minimum level of security for IP. A number of countries have criteria for determining this level. As an example, we give the UK criteria - CCTA Baseline Security Survey, which determine minimum requirements in the field of information security for government agencies of this country. In Germany these criteria are set out in the BSI standard.

There are criteria from a number of organizations - NASA, X/Open, ISACA and others. In our country, this may be a security class in accordance with the requirements of FSTEC of Russia, a protection profile developed in accordance with the ISO-15408 standard, or some other set of requirements.

Then the criterion for achieving a basic level of security is the fulfillment of a given set of requirements.

Basic ( baseline) risk analysis - risk analysis carried out in accordance with the requirements of the basic level of security. Risk analysis applications that focus on this level typically do not consider the value of resources or evaluate the effectiveness of countermeasures. Methods of this class are used in cases where no increased requirements in the field of information security are imposed on the information system.

Full (full) risk analysis - risk analysis for information systems that have increased requirements in the field of information security. Includes determining the value of information resources, assessing threats and vulnerabilities, selecting adequate countermeasures, and assessing their effectiveness.

According to GOST R ISO/IEC 27005-2010, the information security management process consists of the stages presented in Fig. 1.

Risk assessment

Risk Analysis

Risk identification

Quantitative risk assessment

  • 0 x:
    • (b o;

Risk assessment

Second decision point. . Is the risk treatment result satisfactory?

Rice. 1.

According to GOST R ISO/IEC 27005-2010, the risk assessment process consists of risk analysis and risk assessment itself.

Risk analysis includes: risk identification (identifying assets, identifying threats, identifying existing controls and controls, identifying vulnerabilities, determining consequences) and establishing risk values ​​(assessing consequences, assessing the likelihood of an incident, establishing risk level values).

The risk assessment must identify risks, quantify and prioritize risks based on risk acceptance criteria and objectives that are meaningful to the organization.

Following the recommendations of GOST R ISO/IEC 27002-2012, risk assessments should be performed periodically to take into account changes in security requirements and in the risk situation, for example, in relation to assets, threats, vulnerabilities, impacts, risk assessments.

Before considering the treatment of a certain risk, a company must select criteria for determining whether the risks are acceptable or unacceptable.

The risk assessment process establishes the value of information assets, identifies potential threats and vulnerabilities that exist or may exist, identifies existing controls and their impact on identified risks, determines possible consequences and finally, priorities are assigned to the identified risks, and they are ranked according to the risk assessment criteria recorded when establishing the context.

As a result of the risk assessment in accordance with GOST R ISO/IEC 27003-2012, it is necessary to:

  • - identify threats and their sources;
  • - identify existing and planned controls and controls;
  • - identify vulnerabilities that could, if threatened, cause damage to assets or the organization;
  • - determine the consequences of loss of confidentiality, security, availability, non-repudiation or violation of other security requirements for assets;
  • - assess the impact on the enterprise that may arise as a result of suspected or actual information security incidents;
  • - assess the likelihood of emergency scenarios;
  • - assess the level of risk;
  • - compare risk levels with risk assessment and acceptability criteria.

The methodology used for risk assessment should include the steps listed below.

  • 1. Definition of assets.
  • 2. Identification of threats.
  • 3. Identification of vulnerabilities.
  • 4. Determination of consequences.
  • 5. Assessing the likelihood of an incident.
  • 6. Establishing risk level values.
  • 7. Correlation of risks with criteria.
  • 8. Determination of risk treatment measures.

A flowchart of risk treatment activities is shown in Fig. 2.

Satisfactory

First decision point. Is the risk assessment result satisfactory?

RISK TREATMENT


Rice. 2.

with GOST R ISO/IEC 27005-2010

In addition to these actions, the organization must also provide for risk monitoring.

Risks and their drivers (i.e. asset value, impact, threats, vulnerabilities, probability of occurrence) should be monitored and reassessed to identify any changes in the organization's context at an early stage, and an overall view of the entire risk picture should be maintained. The information security risk management process is subject to constant monitoring, analysis and improvement.

In risk analysis, the expected damage if threats are realized is compared with the costs of protective measures and means, after which a decision is made regarding the assessed risk, which may be:

  • - reduced, for example, through the introduction of protection means and mechanisms that reduce the likelihood of a threat occurring or the coefficient of destructiveness;
  • - saved (accepted) as acceptable for the subject of assessment;
  • - prevented by refusing to use the resource at risk;
  • - transferred, for example, insured, as a result of which, in the event of a security threat, the losses will be borne by the insurance company, and not the owner of the resource.

The most labor-intensive process is the risk assessment process, which can be divided into the following stages: risk identification; risk analysis; risk assessment.

In Fig. Figure 3 schematically depicts the process of assessing information security risks. Risk identification consists of compiling a list and description of risk elements: objects of protection, threats, vulnerabilities.

It is customary to distinguish the following types of objects of protection: information assets; software; physical assets; Services; people and their qualifications, skills and experience; intangible resources such as the reputation and image of the organization.

As a rule, in practice, the first three groups are considered. The remaining objects of protection are not considered due to the complexity of their assessment.

At the risk identification stage, threats and vulnerabilities are also identified.

The results of audits are used as input data for this; information security incident data; expert assessments from users, information security specialists, IT specialists and external consultants.

Information obtained at the risk identification stage is used in the risk analysis process to determine:

  • - possible damage caused to the organization as a result of asset security violations;
  • - the likelihood of such a violation occurring;
  • - magnitude of risk.

The amount of possible damage is determined taking into account the value of the assets and the severity of the consequences of a violation of their security.

The second component that shapes the value of possible damage is the severity of the consequences of a violation of asset security. Are taken into account


Rice. 3.

all possible consequences and the degree of their negative impact on the organization, its partners and employees.

It is necessary to determine the severity of the consequences of violation of confidentiality, integrity, availability and others important properties information asset and then find the overall score.

The next stage of risk analysis is to assess the likelihood of threats occurring.

After the magnitude of possible damage and the likelihood of threats being realized have been determined, the magnitude of the risk is determined.

Risk calculation is made by combining possible damage, which expresses the likely consequences of a violation of asset security, and the likelihood of threats occurring.

This combination is often carried out using a matrix, where the possible values ​​of damage are placed in the rows, and the probability of the threat being realized in the columns, and the amount of risk at the intersection.

Next, the calculated risk levels are compared with the risk level scale. This is necessary to realistically assess the impact that calculated risks have on the organization's business and to communicate the meaning of risk levels to management.

The risk assessment must also identify acceptable levels of risk at which further actions not required. All other risks require additional measures.

The results of the risk assessment are used to determine the economic feasibility and priority of risk treatment measures and allow an informed decision to be made on the selection of protective measures that reduce risk levels.

There are many methods for analyzing and assessing information security risks. Some of them are based on fairly simple tabular methods and do not involve the use of specialized software tools; others, on the contrary, actively use them.

Despite increased interest in risk management, most of the techniques currently used are relatively ineffective because the process in many companies is carried out independently by each department. There is often no centralized control over their actions, which precludes the possibility of implementing a unified and holistic approach to risk management throughout the organization.

To solve the problem of assessing information security risks, the following are classic: software systems: CRAMM, FRAP, RiskWatch, Microsoft Security Assessment Tool (MSAT), GRIF, CORAS and a number of others. All known techniques can be classified as follows:

  • - methods that use risk assessment at a qualitative level (for example, on a scale of “high”, “medium”, “low”), such methods, in particular, include FRAP;
  • - quantitative methods (risk is assessed through numeric value, for example, the size of expected annual losses), the RiskWatch methodology belongs to this class;
  • - methods using mixed assessments (this approach is used in CRAMM, MSAT methodology).

Before making a decision to implement a particular information security risk management methodology, you should make sure that it sufficiently takes into account the business needs of the company, its scale, and also complies with the best global practices and has sufficient detailed description processes and required actions.

In table 1 presents a comparative analysis of classical methods (CRAMM, GRIF, RiskWatch, CORAS, MSAT).

Table 1

Comparison of software tools for information security risk management

Comparison criteria

GRIF

RiskWatch

Risks

Using the concept of maximum acceptable risk

Preparing an action plan to reduce risks

Control

Informing the manager

Work plan to reduce risks

Includes trainings, seminars, meetings

Business risk/operational risk/IT risk assessment

Risk assessment at the organizational level

Risk assessment for technical level

Suggested ways to reduce risks

Bypassing (preventing) the risk

Risk reduction

Taking risks

Processes

Use of risk elements

Money

Intangible assets

Asset value

Vulnerabilities

Security measures

Potential Damage

Probability of threats

Comparison criteria

Types of risks considered

Business risks

Risks associated with violation of laws

Risks associated with the use of technology

Commercial risks

Risks associated with the involvement of third parties

Risks associated with recruiting personnel

Methods for measuring risk values

Qualitative assessment

Quantification

Control methods

Qualitative risk ranking

Use of independent assessment

Return on Investment Calculation

Calculation of the optimal balance between different types of security measures, such as:

Prevention measures

Detection measures

Corrective measures

Recovery measures

Integration of control methods

Description of the purpose of control methods

Procedure for accepting residual risks

Residual risk management

Risk monitoring

Application of monitoring the effectiveness of information security measures

Implementation of risk reduction measures

Using the Information Security Incident Response Process

Structured documentation of risk assessment results

Note : A comparison table of software tools for analysis and risk assessment is given based on the materials of the article: Baranova E.K., Chernova M.V. Comparative analysis software tools for analyzing and assessing information security risks // Problems of information security. Computer systems. -

2014.-№4.- P. 160-168.

Score With RAMM

This technique does not take into account supporting documentation, such as descriptions of business processes or reports on risk assessments. In relation to the risk management strategy, CRAMM assumes the use of only risk reduction methods. Risk management techniques such as bypass or acceptance are not considered. The method does not include:

the process of integrating control methods and describing the purpose of a particular method; monitoring the effectiveness of the management methods used and methods for managing residual risks; recalculation of maximum permissible risk values; incident response process.

The practical application of CRAMM involves the need to attract highly qualified specialists; labor intensity and duration of the risk assessment process. In addition, the high cost of the license should be noted.

GRIF assessment

The GRIF methodology uses quantitative and qualitative methods for assessing risks, and also determines the conditions under which the latter can be accepted by the company, and includes the calculation of the return on investment for the implementation of security measures. Unlike other risk analysis techniques, GRIF offers all ways to reduce risks (bypass, reduce and accept). This methodology takes into account accompanying documentation, such as a description of business processes or reports on information security risk assessments.

RiskWatch assessment

This technique uses quantitative and qualitative methods of risk assessment. The labor intensity of risk analysis using this method is relatively small. This method is suitable if you need to conduct a risk analysis at the software and hardware level of protection, without taking into account organizational and administrative factors. A significant advantage of RiskWatch is its intuitive clear interface and greater flexibility of the method, provided by the possibility of introducing new categories, descriptions, questions, etc.

CORAS assessment

CORAS does not provide such effective measure on risk management, such as the “Program for raising employee awareness in the field of information security.” Such a program makes it possible to reduce information security risks associated with violations of the information security regime by company employees due to their ignorance of corporate requirements in this area and the rules for the safe use of information systems. Also, CORAS does not provide for the frequency of risk assessment and updating of their values, which indicates that the methodology is suitable for performing one-time assessments and is not suitable for regular use.

The positive side of CORAS is that the software product that implements this technique is distributed free of charge and does not require significant resources to install and use.

MSA T Score

The key indicators for this software product are: business risk profile (the amount of risk change depending on the business environment, indeed, important parameter, which is not always taken into account when assessing the level of system security in organizations in different fields of activity) and the defense in depth index (a summary value of the level of security). MS AT does not provide a quantitative assessment of the level of risks, however, qualitative assessments can be tied to a ranking scale.

MS AT allows you to evaluate the effectiveness of investments made in the implementation of security measures, but does not make it possible to find the optimal balance between measures aimed at preventing, identifying, correcting or restoring information assets.

The considered methods correspond well to the requirements of the “Risks” and “Processes (Use of Risk Elements)” groups, but some of them (CRAMM, CORAS) have shortcomings in accordance with the “Monitoring” and “Management” sections, as well as with many “Processes” subsections . Few (GRIF, RiskWatch, MSAT) provide detailed guidance on scheduling risk reassessments.

In cases where it is necessary to perform only a one-time assessment of the level of risks in a medium-sized company, it is advisable to recommend the use of the CORAS methodology. For risk management based on periodic assessments at a technical level, CRAMM is best suited. Microsoft Security Assessment Tool and RiskWatch methodologies are preferred for use in large companies, where it is planned to introduce information security risk management on the basis of regular assessments, at a level not lower than the organizational one, and the development of a reasonable action plan to reduce them is required.

GOST R ISO/IEC 27003-2012. Information technology. Methods and means of ensuring security. Information security management systems. Guidelines for implementing an information security management system.

  • GOST R ISO/IEC 13335-1-2006. Information technology. Methods and means of ensuring security. Part 1. Concept and models of security management of information and telecommunication technologies.
  • Baranova E.K. Methods and software for assessing risks in the field of information security // Risk Management. - 2009. - No. 1(49). - P. 15-26.
  • Baranova E.K. Methods for analyzing and assessing information security risks // Bulletin of Moscow University named after. S.Yu. Witte. Episode 3: Educational Resources and technology. - 2015. - No. 1(9). - pp. 73-79.