Main content

Providing value

Providing value

2. You cannot deal with what you cannot see
―Visualizing information security risks―

Identifying information security risks

For visible risks, we can plan and implement appropriate measures in consideration of their specific features. For invisible risks, however, simply taking general measures without taking into account the features of those risks might not be appropriate.

A wider range of information asset-related risks are analyzed as a result of risk assessment. In internal audits, how are items such as the criticality, threats, vulnerabilities, and risks of those and whether risk response measures are adequate judged?

This can be examined using the example of an information asset “new product drawings.”

  • Criticality
  • If a new product is one on which the future of the company might depend, the level of criticality of the drawings will be judged to be very high.
  • Threats and vulnerabilities
  • For drawings in electronic format, the data may be leaked or falsified, while paper drawings may be stolen, lost or damaged. Such incidents must be avoided.
  • Risks and measures against those
  • Measures taken against risks include access permission control and regular data backup for electronic data and storage and locking in a fireproof book storage room for paper drawings.

These may be general measures taken against visible risks. There may also be invisible risks.

The following are some of the invisible risks:

  • Integrity of drawings
  • When changes occur to drawings, are those accurately and completely communicated to the relevant departments and affiliates?
  • Confidentiality of drawings
  • When drawings are provided to affiliates for parts production, are the drawings stored in an environment where confidentiality is ensured and handled appropriately? Do the companies to which the affiliates entrust a portion of the work also keep the drawings confidential?
    Is reporting the status of that confidentiality included in contracts and memorandums, and is that checked on a regular basis?
  • Lifecycle
  • Is the lifecycle of each drawing clearly defined from creation through to disposal, and are records of that kept? In particular, are the drawings presented to affiliates for development returned or appropriately disposed of upon completion of the contracted work?
  • Transport of drawings
  • In transporting drawings, including encrypting for by email and handing in person, are measures against risks such as erroneous transmissions and loss of data examined and implemented?
  • Other risks may also be invisible.

In order to find these risks, it appears necessary to go beyond simply analyzing the confidentially, integrity and availability of the information assets themselves. Risk analysis is performed not only for information assets, but also for physical protection (facility), operation of information assets (lifecycle), and compliance with laws, regulations, and contracts that affect the security of information assets and information assets.

Visualization of invisible risks

Visualization of all issues related to the organization is effective in finding risks by accurately identifying the situation and in implementing appropriate measures against those risks.
After visualizing all the issues, you may find that there are a great number of items that you were unaware of or that you misunderstood about the organization and its features.

What issues, then, need to be visualized?

  • State and features of the organization
  • Environment surrounding the organization
  • Potential risks (threats)
  • Vulnerabilities
  • Anti-risk measures

Visualizing the audited department means knowing about who is being audited. And knowing about who is being audited allows one to identify important points to be focused on. To carry out audits effectively within a limited timeframe, auditors must keep focused on the important points.

How, then, should the issues be visualized?

  • Job charts created for the establishment and maintenance of the ISMS
  • Workflow diagrams created to extract information assets
  • Information concerning the results of interviews with the ISMS promotion departments and the organizations audited
  • Surveys of internal materials

There are also various other visualization methods. Here, modeling by mind mapping is shown as an example of a visualization tool.

Figure 2-1 [Reference] Example of mind mapping used as a visualization method - Modeling to understand the condition of the organization audited -Provided by Takuro Haneda, Information Security Consulting Group, Consulting Promotion Office, Solution Marketing Division, Ricoh Japan Corporation

Figure 2-1 [Reference] Example of mind mapping used as a visualization method - Modeling to understand the condition of the organization audited -
Provided by Takuro Haneda, Information Security Consulting Group, Consulting Promotion Office,
Solution Marketing Division, Ricoh Japan Corporation

Mind mapping, invented by Tony Buzan, is based on descriptions using keywords tied together. The human brain stores a massive amount of memories, and these memories can be recalled with the use of keywords. Even without listing or using documents, it is possible to recall a vast amount of memories from keywords. If the process of an analyzer’s thinking is visualized by descriptions using keywords tied together, all participants are able to share and review the process.
ThinkBuzan of the United Kingdom possesses all rights related to mind mapping.

The relationship between visible risks and invisible risks can be found by visualizing the organization audited. That way, previously unknown risks can be noticed.

Figure 2-2 Example of visualization of risks related to drawings of a new product

Figure 2-2 Example of visualization of risks related to drawings of a new product

The auditing and audited party both should share the same information. If the quality of the information possessed by the parties differs, the quality of the organization’s management system will decline. With an ISMS, both parties can aim to improve the management system by sharing the organizational profile and by recognizing risks.

Structure of risk analysis targets

Risk assessments are generally carried out primarily for information assets.
Under the ISMS, however, it is also necessary to assess risks regarding specific business requirements as well as those that concern legal and regulatory requirements.
Threats to information assets are related to the operation (lifecycle) and environment (facilities) of information assets, as well as to compliance with related laws, regulations, contracts, and the like. Risk assessments must therefore be conducted for all of these elements.

In order to protect information assets, it is necessary to understand the structure of the risk analysis targets such as shown below.

  • Information
  • Media on which information is stored
  • Facilities in which information is stored
  • Environment for the facilities (rooms, buildings, premises, etc.)
  • IT devices and software used for the manipulation of electronic information
  • Power supply for IT devices and services such as communication
  • People who manage the above

Risk analysis targets related to information assets are classified into the following.

  • (1) Information
  • (2) Physical assets
  • (3) Service assets
  • (4) Software assets
  • (5) Intangible assets
  • (6) Human resources

In risk assessment, it is necessary to check whether these information assets are within the scope of the organization, i.e., the ISMS, create a ledger of all relevant information assets, recognize the threats to and vulnerabilities of the assets, and examine countermeasures to be taken.

In internal audits, whether risk analysis targets are recognized and assessed appropriately within the organization needs to be checked.