Information security is an issue of critical importance for institutions today. Institutions must manage information security risks to prevent both financial and reputational losses. Security breaches such as data leakage, unauthorized access, and data loss can lead to both financial and reputational damages. Information security risk analysis is an important step to identify these risks and reduce their effects.
In this article, we will conduct a general literature research on risk management and risk analysis methodologies in information security. In particular, we will examine what approaches three popular risk analysis methodologies such as ISO, NIST and PCI-DSS offer in this field.
What is the risk?
Risk is defined as the positive or negative effects of uncertain elements, factors, or internal and external factors that may arise in the future regarding the institution's harm, loss, danger, or damage, on the institution's achievement of its goals and objectives.
Risk= Likelihood of the Threat * Impact of the Threat
Risk Management Techniques
Risk management involves the process of identifying, assessing, reducing or accepting and managing uncertainties. This process may involve a range of methods and methodologies:
Risk Reduction: Taking measures to reduce the risk value of the asset.
Risk Transfer: It is the process of transferring the risk to another person by performing a transaction such as insurance.
Accepting Risk: Accepting the losses that will occur if the risk occurs.
Risk Denial: The state of not accepting the risk by not using the system or service that will create the risk.
Risk management focuses on developing strategies to both minimize negative risks (danger) and evaluate and exploit positive risks (opportunity).
Risk Analysis Methodologies
ISO (International Organization for Standardization)
Information security standards developed by ISO (International Organization for Standardization) are one of the important resources used to help institutions manage information security risks.
ISO 27001 Information Security Management System Standard is an international standard that provides a framework for establishing, implementing, monitoring and maintaining information security management systems. It covers the risk management process and determines risk analysis and evaluation methods for the protection of information assets. It also guides an organization in determining and implementing information security policies and processes.
The ISO 27002 Information Security Improvement Standard is a supporting standard of ISO 27001 and provides detailed guidance for information security controls. This standard helps organizations understand how to implement controls on different information security issues.
ISO 31000 Risk Management Standard is a standard that generally defines risk management processes. This standard helps organizations manage all types of risks, including information security risks. It covers the processes of identifying, assessing, managing and monitoring risks. It can form the basis of information security risk management methodologies. This standard can guide organizations' broader risk management efforts that include information security risk management.
NIST (National Institute of Standards and Technology)
NIST (National Institute of Standards and Technology) is an institution that is considered an authority in the field of information security in the United States. NIST SP 800-30 revised standard is used for risk analysis. The main purpose of this standard is to provide a methodology for identifying and evaluating risks and taking appropriate measures for risks. NIST SP 800-30 helps an organization determine risk tolerance levels and develop risk management strategies.
PCI-DSS (Payment Card Industry Data Security Standard)
PCI-DSS (Payment Card Industry Data Security Standard) is a standard created to ensure the security of credit card data used in financial transactions. PCI-DSS requirement 12.2, a component of this standard, requires payment card processors to conduct risk analysis and implement security measures. PCI-DSS provides a methodology that includes risk analysis and assessment processes. This standard covers a number of requirements such as protection of credit card information, network security, security policies and processes.
Risk management and risk analysis in information security is an important step to identify the security vulnerabilities of institutions and take appropriate measures. Standards such as ISO, NIST, and PCI-DSS provide organizations with guidance on risk analysis methodologies and security measures. These methodologies also form an important basis for ensuring information security and ensure that institutions are effectively protected against risks.
Source
-Kara, M., Kurumsal Bilgi Güvenliği, (1. basım), İstanbul: Papatya Yayıncılık Eğitim,2018
https://www.pcisecuritystandards.org/document_library/?category=pcidss&document=pci_dss
https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
https://csrc.nist.gov/News/2012/NIST-Special-Publication-800-30-Revision-1
