Risk analysis

Risk analysis results in an evaluation of the threats that may influence the operations of the organisation the most.

The aim of risk analysis is:

  1. To identify the weaknesses that may appear in the organisation’s information system;
  2. To identify the threats that may be realised through the weaknesses;
  3. To assess the possible damages caused by the threats.

Taking into account the characteristics of the operation of the organisation, its needs and security class, we generally proceed from the following documents in risk assessment:

  1. EVS-ISO/IEC 27001:2006 Information technology. Security techniques. Information security management systems. Requirements.
  2. EVS-ISO/IEC 27003:2011 Information technology. Security techniques. Information security management system implementation guidance.
  3. EVS-ISO/IEC 27005:2009 Information technology. Security techniques. Information security risk management.
  4. EVS-ISO/IEC 27002:2008 Information technology. Security techniques. Code of practice for information security management.
  5. Three-tiered baseline security system for information systems, i.e. ISKE

Following a methodology based on standards, HLP’s experienced consultant analyses the current state of the organisation’s data processing, finds its weaknesses and assesses the risks deriving from relevant threats.

Method

Description Result
Rules and regulations

HLP: Analyses internal rules and regulations, job descriptions, statutes, and other related documents that regulate the use and management of the information system, and the workflow of IT specialists and users.
Identifies which regulations and documents are absent and proposes either creating these or complementing the existing ones. Centralizes, systematizes and describes existing data.

CLIENT: Assembles necessary input materials. If necessary, makes changes to the existing rules and regulations. If possible, approves changes to documents during the consultation project.

Overview of requirements
Recommendations for changing, harmonizing and improving procedures
Interviews with key personnel

HLP: Carries out interviews to acquire information about the current state of the information systems. The personnel interviewed are the leading business staff – executives, main users of applications/ information systems and if necessary staff members in charge of business processes. In some cases interviews with other partners might be necessary to obtain additional information on the IT infrastructure applications supporting the business applications.

CLIENT: Ensures the participation of key personnel in interviews. Informs cooperation partners about the objectives of assessing the current situation and coordinates their fulfillment.

Memos and minute of meetings
Security classes

HLP: Establishes the security classes and protection levels. Describes requirements for making choices concerning databases, IT solutions and services. E.g., in which cases the use of cloud services is recommended.CLIENT: Ensures the participation of key personnel in discussions. Determines security classes and protection levels.

Memos, minutes
Software audit

HLP: Compiles an overview of used software. Gives an assessment to the maintenance of workstations and servers, including implementation of security updates, status of anti-virus software. Central network devices, servers and partially also workstation PCs will be audited.

CLIENT: Under the supervision of the consultant, assembles necessary input data from workstations, laptops, central devices and servers for auditing.

Report
Risk analysis

HLP: Analyses the threats and weaknesses of the information system. Describes the current information security situation through threats and weaknesses. Words recommendations and observations for improving the situation so that an action plan could be based on these.

CLIENT: Assembles input and background information needed for the analysis. Explains inconsistent or complex processes and requirements.

Risk assessment
Brainstorming 

Observations made while assessing the current situation are elaborated on during brainstorming sessions. Also, the solutions described in recommendations are harmonized with the expectations of the management and key personnel and the requirements of the core service.

HLP: Coordinates brainstorming sessions with key personnel.

CLIENT: Participates actively in brainstorming and thereby receives a more detailed understanding of the result from the point-of-view of company’s interests.

If necessary, a minute
Corrected risk assessment
Recommendations

HLP: Words the necessary recommendations and observations to dissolve bottlenecks, on which the organisation can draw up their activity plan.

Activity plan
Dossier

HLP: Creates a project dossier where all the relevant material is assembled.

Project dossier

Risk analysis example structure

Chapter Topic
1.  Summary 1.1. Work objective and result
1.2. Used methods and terms
1.3. Information security needs
2. Security class 2.1. Appointing security classes
2.2. Information system security classes
2.3. Observations
3. Risk analysis 3.1. Explanations of risk assessment
3.2. Risk assessment
3.2.1. Weakness: Hardware
3.2.2. Weakness: Software
3.2.3. Weakness: Network
3.2.4. Weakness: Personnel
3.2.5. Weakness: Location
3.2.6. Weakness: Organisation
4. Data security action plan 4.1. Explanations of the action plan
4.2. Course of action
4.3. Urgent actions
4.4. First stage actions
4.5. Second stage actions
5. Annexes 5.1. Annex 1 Assigning a security class (ISKE)
5.2. Annex 2 List of threats (EVS-ISO/IEC 27005:2009)
5.3. Annex 3 List of weaknesses (EVS-ISO/IEC 27005:2009)
5.4. Annex 4 Instructions for preparing documentation