Risk-based IS audit and the concept of unacceptable events
Consideration of business specifics
Certified specialists
Post-audit support
Minimizing IS risks
Risk-based approach in IS -
a way of ensuring IS, which
is based on risk analysis and their
prioritization
The focus is on identifying and understanding potential threats and risks, and applying appropriate security measures to manage them. This approach requires continuous monitoring and adaptation to changing conditions and threats.
In the course of the audit we make a consolidated list of IS risks for the company and develop a methodology for handling the risks
On the basis of which the Client is able to decide what to do with the risk in the future: to minimize, accept or transfer responsibility for the risk to a third party.
We also compile a consolidated list of unacceptable IS events for the company
And we develop recommendations to minimize the probability of unacceptable IS events in the Client's business.
An unacceptable IS event is an event or action that violates information security policies, procedures, rules or regulations
Examples of such events include unauthorized access, malware phishing, fake websites, and more.
The cost of protecting the Asset shall not exceed the cost of potential damage that could be caused by its loss or compromise
The principle that ITGLOBAL.COM Security Auditors adhere to in the course of providing the service
Why identify risks and compile a list of unacceptable IS events
IS budget savings
Helps to allocate the IS budget correctly, eliminating first of all violations with a high level of criticality
Distribution of responsibilities between IT and IS departments
Increase efficiency and reduce time spent on tasks
Minimizing IS risks
Having information about possible risks and the degree of their criticality for business you can prepare in advance for possible negative situations
Reducing the probability of IS incidents
Implementation of the recommendations will help you to increase the level of protection of confidential information in the Company
Our clients
Risk-based IS audit and the concept of unacceptable events.
Order a service
In the course of providing the service, the Auditor collects
information on the components included in the following
research areas
Network and wireless infrastructure
Infrastructure services (OS, SRC, etc.)
Application services (DBMS, ERP, etc.)
Protection of confidential information
Managing access to IT infrastructure components
Security control (DLP, malware protection, etc.)
Organization of fault tolerance of information infrastructure components
Secure software development
The result of the audit of information
security processes based on risk and the concept of
unacceptable events is a Report, which
consists of
Summary
General description of the audit results without using specialized terminology, but with assessment of the criticality of the identified violations in information security processes
Detailed Report
Description of the current state of IS processes of identified violations. Provides detailed information on remediation of identified violations
Areas of responsibility
This section provides information on the division of responsibilities between IT and IS specialists
What to do with the Report
Analyze the results
Carefully review the Report to analyze the identified violations, potential consequences, and recommendations for remediation.
Develop an action plan
Create an action plan to address identified breaches in IS processes. Establish timelines and responsible parties to ensure an appropriate response to each issue.
Handle risks
Take measures to handle risks and implement methods to protect against unacceptable IS events in accordance with the developed action plan
Train staff
Conduct employee training to raise awareness of risks and security best practices
How an Audit is Conducted
| 01 |
Harmonization of interaction |
Form teams on both sides, agree on a work plan and deadlines for project implementation
|
| 02 |
Conducting interviews |
We conduct interviews with business process owners, IS and IT staff, and users of information systems
|
| 03 |
Analyzing the information received |
Identify information security problems, develop a consolidated list of IS risks and unacceptable events
|
| 04 |
Development of a Report with recommendations |
Describe the current state of information security in the Company, develop a list of measures to prevent the occurrence of unacceptable IS events
|
| 05 |
IS risk assessment |
Formulate a list of assets with an assessment of their criticality for the Company, draw up a heat map and develop a methodology for handling IS risks
|
Our clients
Risk-based IS audit and the concept of unacceptable events.
Order a service
Related decisions
Our clients