Automation of risk management processes

Abstract

Information technology and computing, such as computers, printers, network devices, cloud storage, cloud services and, last but not least, application software, are an integral part of any organization. These information assets are key to the organization, and it is therefore essential that they adhere to three aspects of information security. Namely availability, integrity, and confidentiality. Security, as well as these three aspects, is addressed by information security management, which is defined in ISO 2700x standards. According to these standards, security is dedicated to the planning, implementation, control and subsequent monitoring and improvement of the information security management system. To successfully secure a system, it is necessary to know what and to what extent we want to secure. In order for this to be possible, it is necessary to take steps to identify and assess information assets, as well as to identify and assess risks. Based on the information obtained, it is then possible to create security policies and define countermeasures to reduce security risks. However, the information security risk management is a costly, demanding and complex activity. There are some possibilities how to automate and improve the process of identifying and assessing risks, but the first step in the whole process is always the identification of information assets. And this is still largely done manually and at length, based on available resources. In this article, we will provide a description of individual subprocesses of information security risk management and we identify the possibilities of applying automation to individual subprocesses and their interconnection to a complex information system.