The software’s risk analysis function enables the uniform support of the company’s various types of risk analysis. The different types of risk analyses in a number of different areas can be run concurrently, the results of which can be managed in a uniform approach in the interest of implementing and supporting integrated comprehensive enterprise risk management (ERM).
- Information security (CIA)
- Physical security
- Data security (PIA or DPIA)
- Business and process-based risk analysis
- Critical system – MI NDGDM [Ministry of the Interior, National Directorate-General for Disaster Management]
- Ad hoc, project-based
One or more, separately managed risk analysis threads/packages can be launched in the RISK module, with separate responsible persons and assessors. These can be various types of risk analyses or the separate risk analyses of separate areas.
The scope of the various risk analyses can be flexibly adjusted as regards threats and/or resources, so full-scale or partial (or ad hoc)/project-based risk analyses can be performed as well, or the security of other company areas (IT, physical, human resource, business security, and data protection) can also be taken into assessment. The risk analysis can be carried out periodically or continuously according to the needs of the organization.
The fundamental risk analysis methodological parameters and risk calculation methods can be widely customized in the software, providing an opportunity to take the Company’s attributes and the requirements of certain parent companies or legislation into account. The interpretation of effects and damages can be fully tailored to a company and its environment (material damages, damages to goodwill, legal consequences, personal injury, etc.). Public administration (Information Security Act), market, and GDPR-specific damages table templates are also available.
The methodological parameters and the freely expansible lists (threats, vulnerabilities, protective measures) in the risk analysis module are based on information security recommendations (NIST), standards (ISO), and legislation (Information Security Act), supplemented with Kürt’s experience and feedback. The applied risk analysis methodology and terminologies are compliant with the specifications of the ISO/IEC 27005 standard.
Business Impact Analysis
The designated responsible users can carry out Availability, Confidentiality, and Integrity, based business impact analyses on the developed process / data / IT service inventories (Inventory) with the involvement of business responsible persons. Although the results of this activity are used for risk analysis, they are not a pre-requisite. Potential damage impacts due to business process, system or data asset failures can be assessed based on material and immaterial assessment standards for the company.
The impact value of all your assets can be classified on the basis of this analysis. Resources can be classified according to customizable CIA security levels. Classification may be manual or based on parameterizable rules calculated on the basis of BIA results.
The risk analysis connects the vulnerabilities and protective measures of the data assets with the threats. If they were to occur, cause and effect simulations are available to analyze the consequences and the resulting business damages. Risks can be assessed and continuous risk management activities can be conducted.
The main characteristics of risk analysis:
- Threats are fundamental risk events that may occur with a certain degree of probability/frequency, taking into account the applicable protective measures (controls). Vulnerabilities are the weakness and deficiencies that threats can exploit. The software offer ISO and NIST standard-based basic threat, vulnerability, and protective measure lists, supplemented with experience-based best practice data.
- Consequences (CIA or other business event approaches) can be assigned to risks and business impacts can be assigned to the consequences. The uniform interpretation of business effects is supported with a Damage effect table and assessment dimensions that can be freely parameterized (e.g. material, legal, goodwill, personal damages, etc.). Business effects can stem from separate business impact analysis (BIA) processes (Governance module process), or business impact assessments can also be freely performed in the RISK module for risk state changes.
- Inventory expansion model: Status spread and impact tracking support based on a cause and effect graph. The status change of dependent resources can be followed starting from the entry of threats to the status change in resources causing business damages, using graphic graph models.
- The risk analysis also takes the vulnerability data of other modules into account, such as the findings of the audit assessment, Compliance module, incident record data, etc.
- The result of the risk analysis creates graduated risk lists and analysis reports.
- Consistency and validation examination functions check whether the results of the risk analysis are current (data changes).
Integrated assessment and continuous management of risks
Various analysis reports can be used to evaluate the risks identified in the course of the risk analysis and to make risk management decisions. The results of multiple risk analyses can be evaluated and managed separately and in an integrated manner.
Detailed measures can be planned for the risks. The connection between risk management measures and risks can be freely defined (n-n relationships). The implementation of task management functions assists in risk management measures with the use of responsible persons, statuses, email notifications, and reports that support even time comparisons (status as at the analysis, current date status, future planned status). The aim of risk management and reporting functions is the continuous management of the company’s risk-proportionate protection. Risk report features:
- Graphic analyses from the various aspects of risk multitudes
- Risk heat map, distribution reports.
- Risk management reports that support time aspects
- The spreading of risks in Inventory dependency figures.
- Comprehensive text-based (docx) Risk analysis reports can be generated on the entire risk analysis and management status.
Results of risk management
- Prioritized risks list with analysis reports
- Risk management reports with time aspects (as at analysis -> current -> planned)
- Textual risk management report document
- Risk management plan(s)