In today's business landscape it is necessary to address a company’s security needs and manage risk. This is through an iterative process of risk quantification and mitigation. The aim is risk reduction to As Low As is Reasonably Practical – ALARP.
Let us introduce you to our sensible approach to security. It will make sense, regardless of how much you know.
It is quite common for companies to be concerned about Information Security given all the incidents of hacking and cyber crime that are happening daily. Especially when it comes to mission critical, confidential and commercially sensitive systems and information.
When you have a few security products in place, trying to increase security assurance level can be daunting. What should your organisation Do?
Contract white hackers to conduct penetration testing?
Call a Security Expert? Buy a new managed Firewall?
Hire a company to outsource security to partially or completely?
Without a structured approach to requirements analysis, such ad-hoc, maybe knee jerk approaches may add a resource overhead, without addressing a range of underlying problems.
To address security a company needs to
1. Understand the assets they are trying to protect
2. Understand which assets are vulnerable, and how
3. Understand what is the impact if the security is breached and how likely it is to occur. This is the Quantitative Risk Assessment
4. Based on all the above a priority as to what needs to be done first can be drawn. This is the mitigation analysis. Residual risk can then be evaluated.
5. Ways in which risk of each asset are chosen which fit - time, budget, staff skils and company culture. This takes in to account practicality, and applies the ALARP principle.
The process in steps 1 to 5 are called an Information Security Risk Assessment, and one of Infrarisq’s core services.
Risk Assessment can be applied to a small or large number of systems or the whole organization.
The premise of RA workshops is “what could go wrong in the future”, and brainstorming by all stakeholders to provide a structured and documented “what if” analysis.
IT Audits supplement Risk Assessment by analyzing processes and infrastructure in the context or standards or accepted normatives.
The Information Security Risk Assessment provides a mass of information which can be used for other purposes other than purely managing Information Security Risks.
We provide various types of Risk Assessment services which you can explore on our services page. Risk Assessment & IT Audit
