The information security risk management policy is described in the international standard ISO / IEC 27005: 2008. The document sets out the objectives pursued by this continuous process:
- identification of assets, assessment of their value;
- identification of threats to assets and vulnerabilities in the protection system;
- forecasting the probability of threats, calculation and prevention.
Information security risk assessment is carried out in stages (stages are the identification of threats, vulnerabilities and assets) by various management methods specified in the standard, which allows for qualitative or quantitative analysis of threats, identification of system risk factors, finding the best solution by clustering. It should be noted that there is no clear methodology for calculating the magnitude of risks, so in accordance with standards and best practices, organizations should take all possible measures to prevent them, namely: compliance with all employees of cyber hygiene and internal security regulations, use of modern protection against new attacks and threats, as well as the use of information security risk management systems.
Today, the concept of information security risk is directly related to the automation of the workflow, so the management of these risks should also be automated by software for these purposes (vulnerability analysis, information security, etc.).
The software implementation process allows to organize such important points as risk identification, risk assessment, consequences, to build a sequence of actions, to involve necessary persons, to carry out monitoring, to trace important moments, to reveal necessary information, to train employees necessary actions to reduce risks of the organization. The robust Lepide Data Security Platform, which incorporates all security standards and fundamentals, will perform the necessary checks to help correct incorrect settings and comply with IS standards in a timely manner.
