Risk-based IS audit and the concept of unacceptable events
Taking into account the specifics of the business
Certified specialists
Post-audit support
Minimizing information security risks
Risk-based approach in IS -
a way of ensuring IS, which
is based on risk analysis and their
prioritization
The focus is on identifying and understanding potential threats and risks, as well as applying appropriate security measures to manage them. This approach requires constant monitoring and adaptation to changing conditions and threats.
During the Audit process, we compile a consolidated list of information security risks for the company and develop a risk management methodology
On the basis of which the Client gets the opportunity to decide what to do with the risk in the future: minimize, accept or transfer responsibility for the risk to a third party.
We also compile a consolidated list of unacceptable information security events for the company
And we are developing recommendations to minimize the likelihood of unacceptable information security events in the Client's business.
An unacceptable information security event is an event or action that violates information security policies, procedures, rules or norms
Examples of such events may be unauthorized access, malware phishing, fake websites, etc.
The cost of protecting an Asset should not exceed the cost of potential damage that may be caused by its loss or compromise
The principle that Auditors adhere to ITGLOBAL.COM Security during the provision of the service
Why identify risks and compile a list of unacceptable information security events
Saving the IB budget
It will help to allocate the information security budget correctly, eliminating violations with a high level of criticality in the first place
Distribution of responsibility between IT and information security departments
We will increase efficiency and reduce the time spent on completing tasks
Minimizing information security risks
Having information about possible risks and the degree of their criticality for business, you can prepare in advance for possible negative situations
Reducing the likelihood of IB incidents
Following the recommendations will help you increase the level of protection of confidential information in the Company
Our clients
Information security audit based on risks and the concept of unacceptable events.
Order a service
In the process of rendering the service, the Auditor collects
information about the components included in the following
research areas
Network and wireless infrastructure
Infrastructure services (OS, IBS, etc.)
Application services (DBMS, ERP, etc.)
Security of confidential information
Managing access to IT infrastructure components
Security control (DLP, malware protection, etc.)
Organization of fault tolerance of information infrastructure components
Secure software development
The result of an audit of information security processes
risk-based security and concepts
An invalid event is a report that
It consists of
Summary
A general description of the Audit results without using specialized terminology, but with an assessment of the criticality of the identified violations in information security processes
Detailed Report
Description of the current state of the processes and the detection of violations. Contains detailed information on the elimination of identified violations
Areas of responsibility
This section contains information about the division of responsibilities between IT and information security specialists
What to do with the Report
Analyze the results
Carefully review the Report to analyze the identified violations, potential consequences and recommendations for their elimination.
Develop an action plan
Create an action plan to eliminate the identified violations in the information security processes. Set deadlines and responsible persons to ensure an appropriate response to each problem.
Handle the risks
Take measures to handle risks and implement methods of protection against unacceptable information security events in accordance with the developed action plan
Train the staff
Conduct employee training to increase awareness of risks and best security practices
How the Audit is conducted
| 01 |
Coordination of interaction |
We form teams on both sides, coordinate the work plan and deadlines for the implementation of the project
|
| 02 |
Conducting an interview |
We conduct interviews with owners of business processes, employees of information security and IT departments, users of information systems
|
| 03 |
Analysis of the information received |
We identify problems in information security, develop a consolidated list of risks and unacceptable information security events
|
| 04 |
Development of a Report with recommendations |
We describe the current state of information security in the Company, develop a list of measures to prevent the occurrence of unacceptable information security events
|
| 05 |
IB risk assessment |
We form a list of assets with an assessment of their criticality for the Company, draw up a heat map and develop a methodology for processing information security risks
|
Our clients