Risk assessment and management
The RISK module can be used to keep records of information security risk analyses and the steps taken for their management.
The risk analysis connects the vulnerabilities and protective measures of the data assets with the threats. If they were to occur, cause and effect simulations are available to analyze the consequences and the resulting business damages. Risks can be assessed and continuous risk management activities can be conducted.
The fundamental risk analysis methodological parameters and risk calculation methods can be widely customized in the software, providing an opportunity to take the organization’s attributes and the requirements of certain parent companies or legislation into account. The interpretation of effects and damages can be fully tailored to an organization and its environment.
The methodological parameters and the freely expansible lists (threats, vulnerabilities, protective measures) in the risk analysis module are based on information security recommendations (NIST), standards (ISO), and legislation (Information Security Act), supplemented with Kürt’s experience and feedback. The applied risk analysis methodology and terminologies are compliant with the specifications of the ISO/IEC 27005 standard. Risk analysis cornerstones:
- asset item
- security measure
- business impact
- risk management
- residual risk
Various analysis reports can be used to evaluate prioritized risks identified in the course of the risk analysis, allowing the making of risk management decisions. Detailed measures can be planned for the risks. The implementation of task management functions assists in risk management measures with the use of responsible persons, statuses, email notifications, and reports that support even time comparisons (status as at the analysis, current date status, future planned status). The aim of risk management and reporting functions is the continuous management of the organization’s risk-proportionate protection. In addition to numerous other reports, a comprehensive Risk Analysis Report (docx) on the current results and status of the risk analysis and the applied methodology can be generated for use in ISO audits.
The Risk module can be used to run more than one and more than one type of risk analysis (e.g. business, physical, human, data protection, critical infrastructure, etc.) concurrently, the results of which can be managed in a uniform approach in the interest of implementing and supporting integrated comprehensive enterprise risk management (ERM).