With the selection of the risk tile the function of the risk modules will be activated. In this module implemented operative risk method is based on the norm ISO/IEC 27005. The calculation method and the classification chart are predefined and can be customized individually to current requirements. The deposited threat and weakness catalogues will be assigned and valued by the existing asset types. An assignment is possible every time by using the administration tool. At the evaluation the measures to reduce the risk and the linked security incidents will be shown. It will be calculated following areas: protection need, probability of occurrence, risk value in €, risk step, net risk.
An extract of the features:
- Individual visualization of inspection areas:
- Approach in accordance with the ISO 27005 norm (threat lists and vulnerabilities list incl. possible combinations);
- Criticality capture of business processes possible;
- Flexible configurable asset group-value-criteria;
- „Information“ as further primary asset type in addition to the business processes;
- Identification of vulnerabilities and threats of protection items;
- Display of processing, completed and aborted measures per valuation;
- Display of security incidents per valuation;
- Identification of individual risk values of protection items;
- Identification of potential impacts of risks on the business processes;
- Creation of measures to reduce the risks;
- Generating a risk acceptance report on non-implementation;
In this area you execute the entire IT risk management in accordance with the ISO 27005 norm and identify all vulnerabilities and threats within your scope.
Great advantage of the approach according to the methodology of ISO 27005: it is based on the alignment of the IT risk management on the business processes of the company. The business processes are evaluated on their criticality and the assets which support the business processes are allocated to them.
Identified critical assets (IT systems consisting of applications, databases and hardware) are analyzed on the availability, integrity, confidentiality, privacy relevance and its financial value. Thus allows the derivation of concrete action plans for the prevention of threats and closure of vulnerabilities. Because the assessment of criticality is a very company-specific value, criteria can be configured flexibly, of course.