IT Risk Management
By selecting the risk module in the QSEC software menu, the risk management functions are activated. The complete IT risk management is carried out here according to the requirements of ISO 27005 and/or BSI. The potential weaknesses and threats of the asset groups in the corresponding scope (scope, consisting of the relevant business units and the associated assets and standards) are determined.
The operational risk method implemented in this module works according to the requirements of the ISO/IEC 27005 standard or according to the IT basic protection requirements (200-3). The calculation methods and classification tables are predefined and can be individually customized to meet the specific requirements. The stored threat and vulnerability catalogues (hazard and building block catalogues) are assigned to the existing asset types (infrastructure, IT hardware, IT software, cloud etc.) and evaluated. Since the assessment of the security requirements (asset group value) is a company-specific value, the criteria can be configured flexibly. An adjustment is possible at any time via the administration tool.
During the risk assessment, the measures for risk reduction and the associated incidents (security incidents) are displayed. The following values are calculated:
- Protection requirements (asset group value),
- likelihood of occurrence,
- Risk value in EURO,
- Risk level,
- Net risk.
One of the great advantages of IT risk management assessment according to the methodology of ISO 27005 is the focus on the business processes of the company. The business processes stored in QSEC are evaluated for their criticality and assigned to the required asset groups (buildings, IT infrastructure, etc.).
Identified critical asset groups will be checked for
- Data protection relevance and
- their financial value
which determines the need for protection. This enables the identification of concrete action plans to reduce weak points (risk treatment planning).
QSEC®: Tabular IT risk management overview sorted by status
QSEC®: hierarchical business process view with the IT risk overview according to the associated asset groups
QSEC®: Risk matrix of the risk levels of the considered asset groups
QSEC®: risk development in IT risk management