Security Risk Management is a critical process, that every organization need to implement at all of its levels (Board, Management and Operations) in order to decrease negative business impact such as revenue or competative edge loss, demage to reputation etc.
IPV Security risk management methodology identifies and rank risks to provide optimal solutions which can reduce the demage potential.
Researches shows clearly that as an organization adopts a pro-active approach through prevention activities (such as risk surveys, regulatory compliance, monitoring and alarm systems, etc.) so that the likelihood of exposure and breach is decreasing. The focus of the risk survey determined according to the need of the organization. Here are some examples of common types of risk assessments:
- Data leakage risk survey (focused on the type of information critical to the organization)
- Risk survey based on the PCI-DSS standard requirements
- SOX (Sarbanes-Oxley) and iSOX risk survey
- Risk survey for internal audit needs
- Risk survey based on the ISO 27001 standard requirements
- Supervisor of Banks (357) and supervisor of the Capital Market, Savings and Insurance (257) risk surveys.
- Comprehensive risk survey of the organizational IT infrastructure
- Risk survey of system which has been defined as critical to the organization
- Security audits and assessments, at Blackbox and Whitebox approaches.
- Interviews with key officials in order to map the information assets and identifying security exposures and vulnerabilities.
- Reviewing information security procedures and their implementation within the framework of the organizational business processes.
To receive a case study example and / or schedule a meeting with an information security expert, contact us.
The destructive worm Conficker, which erupted in late 2008 and hit computers infrastructure and networks, caused massive damage to many Israeli companies, which were compromised at different severity levels, up to completely disabling the organization for several days.
However, many companies were not compromised at all..!
This fact immediately raises several questions:
- Why was one organization compromised while others not?
- Was it possible to prevent the compromise? or manage the risks properly!?
- What was different in those organizations that were not compromised which affected / prevented the compromise?
- What was missing in those affected companies that caused them to be compromised?
- What factors affected the extent of the damage and compromise?
- What, if anything, accelerated / slowed the degree of the worm's spread?
- And so on....
First, we should remember that, the organization's risk management is the responsibility of the management and the CEO. However, in order to make informed decisions that coincide with the organization's needs, security personnel are required at all levels of the company hierarchy levels to provide information and tools in a risk management orientation.
Information Security risk management is a central process that each organization should implement at all of its operational and management levels, from the Board to the last operational worker, in order that such a compromise won't come as a surprise and will be taken into consideration as a calculated risk.
Influencing factors: dynamics and variability The amount of Information Security incidents that compromise the availability, confidentiality and integrity of information systems data is growing exponentially each week. Therefore, the assumption that "nothing happened to us in the last 5 years" does not necessarily apply to the next 5 years, not to mention the next few weeks...
The IT systems are also not as before. The dynamics of the network, as well as the users' needs and requirements, change them on a daily basis.
And the budget... well, thanks, we're in a challenging financial year.
The solution: Risk management IPV Security's Risk Management methodology identifies the risks and their probability level for every kund of organization, maps the organization's information assets and their physical location, checks the vulnerability level of the information systems and the human factor, and optimally recommends on focused solutions prioritized by the potential damage to the organization. No more endless investment in Information Security - but focused investment on the basis of threats' probability and their potential damage.
Of course you cannot discuss risk management without considering the return on investment (ROI). After all, discussing budgets in inevitable.
Well, before we consider the return on investment in Information Security, we need to ask ourselves some questions and think about their answers: What is the ROI on the annual medical examination (checkup) we are required to do by the family doctor? What is the ROI on a periodic 15,000 km car care? What is the ROI backing-up the data of all the computers and enterprise servers? What is the return on investment on upgrading a workstation (adding memory, a more powerful processor, etc.)? On life insurance or apartment contents' insurance...
These examples show that as part of everyday life, there are endless activities and services that we purchase based on hunches and assumptions , and not only on the basis of return on investment. However, these examples do not exempt us from appropriate (!?) budgeting and prioritizing the Information Security projects, and, of course, explaining why, for example, installing a monitoring system is more important and more urgent than upgrading the network infrastructure or vice versa.
IPV's methodology allows you to manage the risks and to examine the ROI on the Information Security systems. During the risk management process, we quantify, in methodical and organized manners, all the parameters and risks at their organizational context. By doing so, we assist the IT staff and the management to make informed decisions that are the most appropriate to the organizational needs.
Interested to hear how IPV's unique Risk Management methodology can assist your organization? Contact Us!