InfoSec Risk Management: Be A Net Safe. Information security risk management is a wide topic, with many notions, processes, and technologies that are often confused with each other.
Very often technical solutions (cybersecurity products) are presented as “risk management” solutions without process-related context.
Further, modern cybersecurity risk management is not possible without technical solutions. However, these solutions alone, when not put together, correctly, risk management processes of an organization might not be enough. Hence, management of risks might even cause a false sense of security.
InfoSec vs Cybersecurity risk management
Differences between “cyber risk management and risk management of information security” Before “cybersecurity” became a slogan, information security analysts only used “information security” and IT security” terms.
“Information safety” is clearly a broader term. It affects information security, storing, processing, or connecting in some way (including paper). Data management also covers entities, trials, legal/regulatory questions, and insurance. (Yes, insurance also decreases damage – by transition – and is, therefore, a safeguard measure.)
“IT security,” which is IT technology, is a word for IT.” Both terms (“information security” and IT security”) have been interchangeably used and are still being used!) sometimes but officially this is incorrect since the IT system is part of the data processing system.
The purpose of risk assessment for information security
The primary aim of risk assessment for information security is to address the threats of information that an entity processes constantly. We should handle these risks in accordance with the risk control strategy of the company.
The risk control of information protection is a part of an organization’s overall risk management and can also be compatible with a general high-level risk management framework.
The achievement of the information security objective listed above depends on the following elements:
Methodology for handling information security risks;
Policy and processes for handling information security risk;
the risk assessment mechanism in information security;
Stakeholders in the management of risk information security.
Standards for NIST and ISO
NIST recommendations and ISO principles on information technology risk assessment are available (and technically applicable).
ISO 31000 (namely ISO 31000: 2001: ‘Risk Control Standards, Rules,’ currently under examination) is the primary ISO high-level risk management standard.
ISO 3100 implements an information security management risk management period that applies management, irrespective of the risk analysis approach used.
Before that, however, other information technology risk assessment principles and recommendations also:
ISO/IEC 27005: “Technology for Information — Techniques for Security — Risk Management for Information Security”
NIST Special Publication 800-39: “Managing the Risk of Information Security: Operational, Mission and ICS View;”
The Guide to Performing Risk Evaluations (NIST Special Publication 800-30 Rev 1).
Description of risk
Let’s speak about another significant issue – the notion of danger itself often overlooked.
We often mix both concepts relating to risk control up in a single language. Further, risk itself, danger, risks, etc. If we try to handle risk correctly, we cannot do this. It’s not all about combining the idea. Moreover, they use these concepts in all methodologies of risk analysis. Otherwise, we can not conduct risk analysis nor interpret the effects of the applied risk assessment period.