By Hoayran Moreira Cavalcanti

All data of a company that has some value and that is part of some activity of the corporation, can be considered an asset. Assets, in turn, are any elements of value to the organization, whether tangible, such as hardware, or intangible, such as software or intellectual property. In either case these assets need to be protected.

Assets can be segregated by levels of importance, for example: the chemical formula that made a hypothetical cosmetics company grow and become the national benchmark in perfume production in Brazil (a fact that makes the formula fundamental to the company’s business operations). In this example, this asset must be protected vigorously, and the company must anticipate the possible threats that it may suffer. Each asset is considered to have a level of importance for business success. In cases like the example above, it is the heart of an organization.

This article is a brief analysis of risk management based on the norm ISO / IEC 27005: 2011 — Information Technology — Security Techniques — Information Security Risk Management, which provides guidelines for the security risk management process of information. This standard is designed to be used by any organization that aims to manage threats that, in any way, compromise information security.

Threats are the risks related to a company’s information security. Such risks may manifest in a variety of ways, whether intentional or accidental, and may also relate to internal aspects of the system as well as physical and environmental aspects. Thus, threats to information security include human errors, software/hardware failures, vandalism, terrorism, and even weather phenomena such as fires and floods that could somehow lead to the loss of this data.

The principles of risk management are to create value for and protect the organization’s assets. Since management is an integral part of all organizational processes, this value should be considered in decision making, always addressing possible risks to the asset and keeping in mind human and cultural factors.

At first, four basic steps must be followed to achieve a satisfactory business security outcome:

Plan: Define context, risk analysis, risk treatment and acceptance;

Execute: Implement a risk plan;

Verify: Perform continuous monitoring and critical risk analysis;

Act: Perform maintenance and improvement of processes.

In addition, understanding of the following areas is essential for the full development of risk management and analysis:

Legislation: Identify the regulatory and legal issues surrounding the company;

Processes: Understand the activities performed internally;

Business: Calculate risk impacts on the company’s area of activity;

Technical: Hardware and Software tech support.

To understand the context of risk management and analysis, you need to understand the external and internal environment of the company:

The external environment of a company obviously includes risks originating outside the company, unrelated to human control such as a flood or other natural disasters, but this category also includes the influences of the macroenvironment defined by marketing theories. This includes the cultural environment (from the region where the company’s products are supplied), the financial environment (the economics of where the products are supplied), the regulatory environment (the laws governing the company’s operation) and the technological environment (how these advances affect the company).

The internal environment, on the other hand, has the risks liable to human and organizational control, including the segregation of access permissions to internal company directories — which must always be segmented by areas and cells of their divisions for greater control and lowering of the level of risks arising from information leakage. At this stage, one should analyse the governance, norms, information systems, corporate culture and the objectives of the organization.

NBR ISO / IEC 27005 states that the activities to be performed in the context definition stage should be started by the team responsible for risk management and analysis and conducted through presentations within the organization, based on interviews with directors, managers, technicians and users.

This step identifies the events that pose threats to a particular organization and the level of risk they may reflect. First, identify assets, threats and vulnerabilities:

Asset Identification: Anything that has any value for the company’s production;

Threat Identification: Anything that could harm company assets;

Identification of existing controls: Any or all controls already in place to minimize risks that may adversely affect assets;

Identification of vulnerabilities: already mapped factors that could harm the integrity of the asset;

Consequences Identification: Any consequences that the assets have suffered negatively, thus impacting the business of the company.

After the assets have been identified, the following process should occur:

Asset Protection Activities Entry -> Action + Guidelines -> Exit

Considering that “Action + Guidelines” are the actions taken that were based on pre-existing asset care guidelines and that the exit is the completion of activities applied under existing already mapped risks.

From this brief analysis, it is interesting for managers and administrators in information security-related areas to understand how to begin managing risk within an organization, thus taking the first step towards achieving a secure and vigorously developing environment.