Security Risk Analysis & Assessment, and ISO 17799 / BS7799 Compliance

CONTENTS

Buy It Here!

The Leading Security Risk Analysis and ISO 17799 / BS7799 Compliance Tool

Why do most major businesses and many public organizations now employ a formal security Risk Analysis methodology? What tangible benefits and advantages does such a program actually bring? How can these be maximized? To answer these questions, we need to go back to the basics and also ask 'what is risk analysis?'. 

A classical definition of Risk Analysis is one which describes it as a process to ensure that the security controls for a system are fully commensurate with its risks.

This description is accurate, at the highest level. However, there are many other almost equally beneficial advantages. The list below was compiled by an existing COBRA customer:

Cost Justified Security

Additional security almost always involves additional expense. As this does not directly generate income, it is important that this is justified in financial terms. The Risk Analysis process should directly and automatically generate such justification, vindicating all the security recommendations made.

Business Related Security: Breaking Barriers

Risk Analysis should not only direct appropriate information at both department management and IT staff, but play a major and pro-active role in enhancing the understanding of each, of the needs and role of the other.

Greater Productivity: Audit/Review Savings

A Risk Analysis program should increase the productivity of the security or audit team. By creating a review structure, formalizing and automating the review, pooling security knowledge in the system's "knowledge base", and utilizing "self-analysis" features, much more productive use of time is possible. The ability to 'build-in' expertise should also alleviate the need for expensive external security consultants.

Self Analysis: The Integration of Security

The Risk Assessment system should enable security to be driven into more areas and to become more devolved. It should allow security to become part of the organization's culture, allowing departmental management to take more of the responsibility for ensuring an adequate and appropriate level of security.

Better Targeting of Security

Security should be properly targeted, and directly related to potential impacts, threats, and existing vulnerabilities. Failure to achieve this could result in excessive or unnecessary expenditure. Risk Analysis promotes far better targeting and facilitates accurate security decisions.

Increased Security Awareness

The wide scale application of a risk assessment program, by actively involving a range of, and greater number of, staff, will promote security as an issue for discussion, and increase security awareness within the enterprise.

The Application of 'Baseline' Security and Policy

Many organisations require adherence to certain 'baseline' standards. This could be for a variety of reasons, such as legislation (eg: Data Protection Act), organization policy, regulatory controls, etc. The Risk Analysis methodology should support such requirements, and enable rapid identification of shortcomings.

Consistency

A major benefit of the application of Risk Analysis is that it brings a consistent and objective approach to all security reviews. This not only applies across different departments, but different types of department.

[ Main Page ]