2.1. Identification of Information Security Risks
For visible risks, we can plan and implement appropriate measures in consideration of their specific features, but for invisible risks, the features of which we do not know, simply implementing measures that are suitable for visible risks might not be appropriate.
In risk assessment, a range of information asset-related risks are analyzed. How should internal auditors make judgments about the materiality, threats and vulnerabilities of the analyzed risks and the appropriateness of the measures taken against those risks?
The answer to this question is shown in the following, which employs drawings of a new product as an example of an information asset.
In order to identify these risks, it appears necessary to go beyond simply analyzing the confidentially, integrity and availability of the information assets themselves. The targets of risk analysis include not only information assets but also the following: physical facilities that may impact the security of information assets; lifecycle of the information assets; and compliance with laws, regulations, and provisions set forth in the related agreements.
2.2. Visualization of Invisible Risks
Visualization of all issues related to your organization helps to identify risks and to implement appropriate measures against them.
After visualizing all the issues, you may find that there are a great number of items that you were unaware of or that you misunderstood about your organization and its features.
Then, what issues need to be visualized?
There are also various other visualization methods. As an example of a visualization tool, modeling by mind mapping is introduced as follows.
Figure 2-1 Example of mind mapping used as a visualization method (reference):
modeling to understand the condition of the organization to be audited
Provided by Takuro Haneda, Information Security Consulting Group, Consulting Promotion Office, Solution Marketing Division, Ricoh Japan Corporation
Mind mapping, which was invented by Tony Buzan, is based on chained descriptions of keywords. The human brain can store a massive amount of memories, and these memories can be recalled with the use of keywords. Without itemization or the use of documents, it is possible to recalled a vast amount of memories based on these keywords. If an analyzer visualizes the process of his/her thinking using a chained description of keywords, all those concerned are able to share and review the process together.
ThinkBuzan of the United Kingdom possesses all rights related to mind mapping.
Internal auditors can understand how visible risks are associated with invisible risks by visualizing the organizations that they are auditing, thus becoming aware of risks that were previously unknown.
Figure 2-2 Visualization of risks related to drawings of a new product
Internal auditors and departments to be audited are both required to share the same information. If the quality of the information possessed by both parties differs, the quality of the organization's ISMS will be badly affected. Both parties can further improve the management system by sharing the organizational profile and by recognizing risks.
2.3. Structure of Risk Analysis Targets
Risk assessments are generally carried out primarily targeting information assets.
Under the ISMS, however, it is also necessary to assess risks regarding specific business requirements as well as those that concern legal and regulatory requirements.
Threats to information assets are related to their life-cycle management and environment (facilities), as well as to compliance with related laws, regulations and agreements. Risk assessments must therefore be conducted targeting all these elements.
For the protection of information assets, it is necessary to understand the structure of the risk analysis targets as shown below.